Reputation: 255
How to send sensitive data to docker container during run time
I am trying to containerise API automation repo to run it on ci/cd(gocd). Below is the Dockerfile content.
FROM alpine:latest
RUN apk add --no-cache python3 \
&& pip3 install --upgrade pip
WORKDIR /api-automation
COPY . /api-automation
RUN pip --no-cache-dir install .
COPY api_tests.conf /usr/.ops/config/api_tests.conf
ENTRYPOINT ["pytest" "-s" "-v" "--cache-clear" "--html=report.html"]
Below is the content of api_tests.conf configuration file.
[user]
username=<user_name>
apikey=<api_key>
[tokens]
token1=<token1>
api_tests.conf is the configuration file and it has sensitive data like API keys, tokens etc(Note: Configuration file is not encrypted). Currently I am copying this config from repo to following location /usr/.ops/config/api_tests.conf in container but i do not want to do this as there are security concerns. So how i can copy this api_tests.conf file when i run container from ci/cd machine(it means, from Dockerfile, i need to remove instruction COPY api_tests.conf /usr/.ops/config/api_tests.conf).
My second question is,
If I create a secret file using command docker secret create my_secret file_path, how i can copy this secret api_tests.conf file when i run container.
Note: Once api_tests.conf file is copied to container then i need to run command "pytest -s -v --cache-clear --html=report.html"
Please provide your inputs.
Upvotes: 0
Views: 1038
Answers (1)
Reputation: 12228
If you want to avoid putting this line COPY api_tests.conf /usr/.ops/config/api_tests.conf in dockerfile then use -v option of docker run command which mounts file/dir from host into container filesystem.
docker run -itd -v /Users/basavarajlamani/Documents/api_tests.conf:/usr/.ops/config/api_tests.conf image-name
If you want to use docker secret to copy config file
- Make sure you're using
docker swarm, sincedocker secretworks withswarm orchestrator. - Create docker secret with contents of config file
docker secret create api_test.conf /Users/basavarajlamani/Documents/api_tests.conf docker secret lswill show the created secret.- Run your docker container as a service in swarm.
docker service create \
--name myservice \
--secret source=api_test.conf,target=/usr/.ops/config/api_tests.conf \
image-name
NOTE: You can also use docker config rather than docker secret, the only difference is they are not encrypted at rest and are mounted directly into the container’s filesystem.
Hope it helps.
Upvotes: 2
Related Questions
- How can I pass secret data to a container
- Consume secret inside dockerfile
- Handling secrets inside docker container without using docker swarm
- Is it possible to provide secret to docker run?
- Docker container - what's the best practice to inject to it a sensitive data
- Securing/Encrypting the sensitive environment variables
- How can I use secrets during docker build?
- Storing secret env variables as separate data container in Docker
- Docker and sensitive information used at run-time
- Docker: how to provide secret information to the container?