-
-
Save dtaivpp/77e310917716e49d6fafa489283847ea to your computer and use it in GitHub Desktop.
| services: | |
| opensearch: | |
| image: opensearchproject/opensearch:${OPENSEARCH_VERSION:-2.11.1} | |
| container_name: opensearch | |
| environment: | |
| discovery.type: single-node | |
| node.name: opensearch | |
| OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m" | |
| volumes: | |
| - opensearch-data:/usr/share/opensearch/data | |
| ports: | |
| - 9200:9200 | |
| - 9600:9600 | |
| networks: | |
| - opensearch-net | |
| opensearch-dashboards: | |
| image: opensearchproject/opensearch-dashboards:${OPENSEARCH_DASHBOARDS_VERSION:-2.11.1} | |
| container_name: opensearch-dashboards | |
| ports: | |
| - 5601:5601 | |
| expose: | |
| - "5601" | |
| environment: | |
| OPENSEARCH_HOSTS: '["https://opensearch:9200"]' | |
| networks: | |
| - opensearch-net | |
| depends_on: | |
| - opensearch | |
| volumes: | |
| opensearch-data: | |
| networks: | |
| opensearch-net: | |
| driver: bridge |
@grofte I actually had to to a fair bit of digging to figure out why to use compose secrets rather than just passing in environment variables. If you just pass in the variables into the env then if someone was able to trigger an env dump in the logs the secrets could be compromised. Also, they live in the process information.
While using docker secrets still leaves the secret exposed on the host machine as it's in a plain text file it solves for a lot of in-container exploits. You could also pattern around the secret getting pulled locally when the machine boots and then is removed from disk after it's been read by the app. Idk if that would work though as I haven't tested it.
Also, @grofte I have a gist up with a pattern for generating docker compose environs using the new secrets now! https://gist.github.com/dtaivpp/c587d99a2cab441eba0314534ae87c86
Check it out and let me know what you think :D
Looking at the Docker documentation this doesn't look safe either? You put the secrets in a file but you also have to provide them when you launch the service that wants to talk to Docker? And if you don't use secrets the password will be in plain-text in the Opensearch image / container?
https://docs.docker.com/compose/use-secrets/