0

I can successfully run prebuilded image by docker-compose and pass environments from hashicorp Vault (like pass or other sensitive values) into docker. All works fine. All done through curl Vault and export values as environment then pass it into yaml before call docker-compose. No any passwords or other data stored on host or files. But - when I do docker inspect I can see any ENVs.

I also try .env file - but i still see envs outside docker (strange - docker docs say that I shouldn`t see envs defined in .env file).

Where is way to hide these values from inspect? I cannot use swarm or modify image.

Oleg
  • 41
  • 1
  • 4
  • Are you passing these as `ARG`s into a Dockerfile (which is insecure, anyone who gets the image can read it) or as Compose `environment:` settings? Deploy-time `environment:` settings are a reasonable compromise, since if you can run `docker inspect` you can also `docker run` a container to take over the whole host. – David Maze Jan 26 '22 at 15:01
  • No, I do not build image through Dockerfile, I run already builded image by docker-compose. Thus docker-compose.yaml contains environment: - TEST='VALUE' or - TEST=$KEY (when $KEY coming from environment) or env_file: - ./.env – Oleg Jan 27 '22 at 06:07

1 Answers1

1

The setup you have now is probably acceptably secure. There's no way to hide or redact data from docker inspect, but anyone who's capable of running docker inspect can do a lot more damage if they're motivated.

The first rule of Docker security is that anyone who can run any docker command at all can root the entire host. Docker doesn't have an internal permission system, the only security control is usually the permissions on the docker.sock file. So if you can docker inspect the container, you can run any docker command; which means you can start a container; which means you can bind-mount any part of the host filesystem and get an interactive shell as root.

# Anyone who can
docker inspect the-container | grep PASSWORD

# could also
docker run --rm -v /opt/app:/opt/app -u root busybox \
  cat /opt/app/docker-compose.yml
# to read the Compose file

# or, for that matter
docker run --rm -v /:/host -u root busybox \
  vi /host/etc/shadow
# to reset host root's password and the system is theirs

There's an argument that passwords shouldn't be put in environment variables at all, independent of Docker. If you subscribe to this approach, and bind-mount the configuration files into containers, then they won't be visible to docker inspect (but you could still docker exec into the container to read them, among other paths).

Arguably the "best" approach is to have the container be able to connect to some sort of external secret storage at startup time to retrieve the credentials it needs, but this is a significant setup change in your application, and it still needs some way to authenticate to that secret storage.

David Maze
  • 130,717
  • 29
  • 175
  • 215