CODEWITHSUNDEEP
dockermaven
Swastik Gupta
Swastik Gupta

Reputation: 189

Build a Docker Image with a Maven settings.xml in it - Is it a Bad Practice?

We have this use case where we want to run acceptance tests on our application with maven. For this we are looking into building our docker image with maven settings.xml copied into it. Obviously, the settings xml contains sensitive data about connection to remote artefact repos etc. I am in a dilemma, whether we should copy it in the docker image, or is it a bad practice and we should be looking into other ways to achieve this.

Edit - Another point, our docker images are pushed to private registries which are accessible only to authorised users

Upvotes: 0

Views: 3018

Answers (2)

David Kranitz
David Kranitz

Reputation: 41

You could use docker secret to pass variables to your settings.xml

enable secret by enablind buildkit in /etc/docker/daemon.json

    {
      "features": {
        "buildkit": true
      }
    }

create a settings.xml in your Dockerfile like this :

COPY <<-EOT /root/.m2/settings.xml
   <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 
http://maven.apache.org/xsd/settings-1.0.0.xsd">
        <servers>
            <server>
                <id>ID</id>
                <username>\${username}</username>
                <password>\${password}</password>
            </server>
        </servers>
        
    </settings>
    EOT

Then you can use this RUN line to use secret

    RUN --mount=type=secret,id=my_env source /run/secrets/my_env \
      && mvn clean install -Dusername=${USERNAME} -Dpassword=${PASSWORD}

Build your DockerFile like this :

    docker build -t test --secret id=my_env,src=.env .

Store your secret in a file named .env like this in your Dockerfile folder :

USERNAME=toto
PASSWORD=toto

The secret is read in the RUN line then it is destroyed.

Upvotes: 0

David Maze
David Maze

Reputation: 159830

There's absolutely no security around the contents of a Docker image. Anyone who gets the image can trivially read its docker history and read or copy arbitrary files out of the image.

As such I'd try very hard to keep credentials out of my Docker image build process entirely. If the settings.xml file has usernames and passwords in it, it's much better to find a different way to do the setup required. Similarly, adding an ssh private key, AWS credentials, or a GitHub access token to an image will compromise those credentials.

If the settings.xml file only contains internal hostnames (but not credentials), or if the password is intentionally bad, it's a question of how much risk you're willing to tolerate. If you have a URL like http://build:[email protected] where that internal hostname isn't externally accessible, you could argue that's "enough" security given the very guessable username and password and you don't need to go out of your way to hide it, especially if you think you can trust your end users.

Upvotes: 1

Related Questions