当前位置: 动力学知识库 > 问答 > 编程问答 >

ssl - What is the best way to manage cert/key for Docker containers that must talk TLS

问题描述:

I am moving my applications to Docker, and I'm not sure how to handle managing the cert/key. In a single host, I have two Docker containers that must listen/communicate over TLS to a number of client machines. Before docker, I had a single server key and self signed cert, and my clients were using the self signed cert to communicate with the server applications.

But now that they are separated docker containers, what is the right methodology? Do I push the certs/key to directories in the container? If so, then my dockerfile would need to COPY the cert/key, and I don't want the key to be part of the checked in image. (security)

Or, do I use a VOLUME and hold the key/cert on the host machine? I tried that, but the container root user could not see the private key, which was read only fir the host root user.

What is really the right way to do this? Thanks

网友答案:

Took me some time, but I figured out how to do it.

One the RUN command line, you can mount a host directory as a data volume. This doesn't work by using the VOLUME in dockerfiles. You use the switch -v hostdir:datavolume

http://docs.docker.com/userguide/dockervolumes/

I used this to connect the containers data volume to the host directory that stored the keys and certs.

Thanks

网友答案:

I know this is an old question but I came up with a somewhat similar but more generic approach. My solution is to create a data-only container which mounts the certificates and their keys as /etc/ssl/certs/host/ and /etc/ssl/private/host/. Name it for example certificates. In upcoming containers you can use these certificates easily by using --volumes-from certificates.

分享给朋友:
您可能感兴趣的文章:
随机阅读: