search

taivokasper / docker-omnidb

OmniDB installed into a Docker container
36 stars 19 forks source link

Add support for .my.cnf and .pgpass files #30

Closed msanchezdev closed 3 years ago

msanchezdev commented 4 years ago

Add symbolic links for .my.cnf and .pgpass files to support providing passwords for MySQL, Maria and PostgreSQL databases.

MySQL and MariaDB Format (.my.cnf):

[client]
user = username
password = password
host = address

PostgreSQL Format (.pgpass):

hostname:port:database:user:password
taivokasper commented 4 years ago

Can you describe what is it that you want to do? Those conf files don't have the actual passwords in them so you would still need to type them. I think the correct file should be provided from outside the docker container with ADD or COPY command.

You are missing backslashes at the end of the lines:

Unexpected error
Encountered error: 400 Client Error: Bad Request ("Dockerfile parse error line 26: unknown instruction: &&")
Traceback (most recent call last):
File "/stage/builder/runner.py", line 290, in _run
self.build()
File "/stage/builder/runner.py", line 214, in build
self._build()
File "/stage/builder/runner.py", line 202, in _build
cache_repo)
File "/stage/builder/build.py", line 43, in build_image
for line in stream:
File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 305, in _stream_helper
yield self._result(response, json=decode)
File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 220, in _result
self._raise_for_status(response)
File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 216, in _raise_for_status
raise create_api_error_from_http_exception(e)
File "/usr/local/lib/python2.7/dist-packages/docker/errors.py", line 30, in create_api_error_from_http_exception
raise cls(e, response=response, explanation=explanation)
APIError: 400 Client Error: Bad Request ("Dockerfile parse error line 26: unknown instruction: &&")
thomasboussekey commented 4 years ago

Moreover, these files can't be compromised.

I was searching for a secure way to store them, but I didn't find something simple & universal. docker secret only works with swarm :cry: Another solution could be to have a VAULT sidecar container, or equivalent. But it will complicate the lightweight solution.

Still searching if a better secure solution exists!

msanchezdev commented 4 years ago

The idea was to provide the files mounting them. As we already mount /etc/omnidb create the symlinks so you can put them just with one mount (they I am doing it now), or could even leave it just mounting each individual file to the /home/omnidb folder. If they were not provided in the /etc/omnidb folder then they would just be ignored by omnidb.

Not the most secure thing to do, but at least a workaround for the time being.