尝试向 Docker 图像提供 PGPASS
[英]Trying to supply PGPASS to Docker Image
问题描述
New to Docker here.
这里是 Docker 的新手。 I'm trying to create a basic Dockerfile where I run a python script that runs some queries in postgres through psycopg2.我正在尝试创建一个基本的 Dockerfile,我在其中运行一个 python 脚本,该脚本通过 psycopg2 在 postgres 中运行一些查询。 I currently have a pgpass file setup in my environment variables so that I can run these tools without supplying a password in the code.我目前在我的环境变量中设置了一个 pgpass 文件,这样我就可以运行这些工具而无需在代码中提供密码。 I'm trying to replicate this in Docker. I have windows on my local.我正在尝试在 Docker 中复制它。我的本地有 windows。
FROM datascienceschool/rpython as base
RUN mkdir /test
WORKDIR /test
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
COPY main_airflow.py /test
RUN cp C:\Users\user.name\AppData\Roaming\postgresql\pgpass.conf /test
ENV PGPASSFILE="test/pgpass.conf"
ENV PGUSER="user"
ENTRYPOINT ["python", "/test/main_airflow.py"]
This is what I've tried in my Dockerfile. I've tried to copy over my pgpassfile and set it as my environment variable.这是我在我的 Dockerfile 中尝试过的。我试图复制我的 pgpassfile 并将其设置为我的环境变量。 Apologies if I have a forward/backslashes wrong, or syntax.如果我有错误的正斜杠/反斜杠或语法,我深表歉意。 I'm very new to Docker, Linux, etc.我对 Docker、Linux 等非常陌生。
Any help or alternatives would be appreciated任何帮助或替代方案将不胜感激
1 个解决方案
解决方案1
1 已采纳 2022-05-19 16:31:31
It's better to pass your secrets into the container at runtime than it is to include the secret in the image at build-time.最好在运行时将秘密传递到容器中,而不是在构建时将秘密包含在图像中。 This means that the Dockerfile doesn't need to know anything about this value.这意味着Dockerfile不需要知道关于这个值的任何信息。
For example例如
$ export PGPASSWORD=<postgres password literal>
$ docker run -e PGPASSWORD <image ref>
Now in that example, I've used PGPASSWORD , which is an alternative to PGPASSFILE .现在在那个例子中,我使用了PGPASSWORD ,它是PGPASSFILE 的替代品。 It's a little more complicated to do this same if you're using a file, but that would be something like this:如果您使用的是文件,则执行此操作会稍微复杂一些,但那将是这样的:
The plan will be to mount the credentials as a volume at runtime.计划将在运行时将凭据作为卷安装。
FROM datascienceschool/rpython as base
RUN mkdir /test
WORKDIR /test
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
COPY main_airflow.py /test
ENV PGPASSFILE="/credentials/pgpass.conf"
ENV PGUSER="user"
ENTRYPOINT ["python", "/test/main_airflow.py"]
As I said above, we don't want to include the secrets in the image.正如我上面所说,我们不想在图像中包含秘密。 We are going to indicate where the file will be in the image, but we don't actually include it yet.我们将指示文件在图像中的位置,但实际上我们还没有包含它。
Now, when we start the image, we'll mount a volume containing the file at the location specified in the image, /credentials现在,当我们启动映像时,我们将在映像中指定的位置挂载一个包含文件的卷, /credentials
$ docker run --mount src="<host path to directory>",target="/credentials",type=bind <image ref>
I haven't tested this so you may need to adjust the exact paths and such, but this is the idea of how to set sensitive values in a docker container我没有对此进行测试,因此您可能需要调整确切的路径等,但这是如何在 docker 容器中设置敏感值的想法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.