sql转储是否被加密到docker容器docker-entrypoint-initdb.d中？

Question

I'm dumping a database into a sql dump:

docker exec mysql sh -c 'exec mysqldump --all-databases -uroot -ppassword' > all-databases.sql

Then I'm using a Dockerfile to build a mysql image and run as a container:

FROM mysql:5.6.41

# needed for intialization
ENV MYSQL_ROOT_PASSWORD=whateverPassword

ADD all-databases.sql /docker-entrypoint-initdb.d/

EXPOSE 3306

When I run the container if I exec into the container, can I access the all-databases.sql file and see the contents of my database in plaintext in the docker image?

Currently if I look into /docker-entrypoint-initdb.d/ it says all-databases.sql but I don't know where that file is stored/if it's encrypted.

Answer 1

If you docker exec into the container, the file will be unencrypted. (It's just a text file and you can look at it with more on most image bases.)

However, if you can run any Docker command at all, then generally it's trivial to get unrestricted root access on the system. (Consider using docker run -v /etc:/host-etc to add yourself to /etc/sudoers or to allow root logins with no password.)

Also remember that anyone who has the image can docker run it and see the file there, if that matters to your security concerns. If you're looking for a single file with root access on the system anyways, you can find it without too much effort in /var/lib/docker . They can also easily run docker history to see the database root password you've set.