Summary Secrets: write-up best practices, do's and don'ts, roadmap · Issue #13490 · moby/moby · GitHub github.com
4,622 words - html page - View html page
One Line
The text explores the challenges and uncertainties of managing secrets in Docker, particularly through volume recreation during build steps.
Slides
Slide Presentation (6 slides)
Key Points
- Docker discourages the use of insecure or non-designed features for handling secrets.
- Some people have found ways to store secrets by leveraging the recreation of volumes for each build step.
- The effectiveness of storing secrets in volumes is uncertain.
- The author suggests that security maintainers should provide guidance on handling secrets in Docker.
- Build time secrets are now possible when using buildkit as the builder.
- The author seeks feedback on their approach to handling secrets, which involves "unplugged" shared volumes to protect sensitive data.
Summaries
26 word summary
The excerpt discusses handling secrets in Docker, including limitations and concerns. Storing secrets through volume recreation during build steps is mentioned, but its effectiveness is uncertain.
47 word summary
The excerpt discusses the handling of secrets in Docker and the current limitations and concerns with existing features. It mentions that some people have found ways to store secrets by leveraging volume recreation during build steps, but the effectiveness of this method is uncertain. The author suggests
258 word summary
Handling secrets in Docker is a recurring topic, with many pull-requests being hijacked by people wanting to use specific features for handling secrets. Currently, Docker discourages the use of these features because they are insecure or not designed for handling secrets. However
Some people have found ways to store secrets by taking advantage of the fact that volumes are re-created for each build step, but the effectiveness of this method is uncertain. Alternatively, containers can be manually built without using a Dockerfile and the results can be
In this excerpt from a GitHub issue, the author discusses the importance of considering different situations for run-time secrets and build-time secrets. They mention that they are not a security expert and suggest that the security maintainers should provide guidance on this topic. Another
The excerpted text discusses various aspects of using secrets in Docker image building and deployment. The first part of the text highlights the need for secrets during the image building process, such as passing an SSH key for source code checkout from a private GitHub repository.
Build time secrets are now possible when using buildkit as the builder, as mentioned by author thaJeztah on Sep 17, 2020. The RUN -mount option used for secrets will soon become the default Dockerfile syntax. Users
The author is seeking feedback on their approach to handling secrets in containers. They mention that their approach involves "unplugged" shared volumes to ensure that no sensitive data is left on the host or in the container after it is built and the service starts