<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>HI,</div><div><br></div><div>I've just opened bug 1687922 "httpd container image contains private key localhost.key and localhost.crt".<br></div><div><br></div><div>--</div><div><font size="2"><i>When using the RedHat image for httpd (from <a href="https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/httpd-24-rhel7/images/2.4-85" target="_blank">https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/httpd-24-rhel7/images/2.4-85</a>), a private key for a certificate is stored in path /etc/pki/tls/private/localhost.key. The RedHat Container Image Guideline (<a href="https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines" target="_blank">https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines</a>) states that:<br><br>```<br>It is also possible and recommended to pass secrets such as certificates and keys into the container using environment variables. This ensures that the secret values do not end up committed in an image and leaked into a Docker registry.<br>```<br></i></font></div><div>--</div><div><br></div><div>Now all the containers based on rhscl/httpd-24-rhel7 have the same certificate (private key and cert). And this is a high security risk.<br><br>I think the best solution is to remove the certificate in the base image, and create a init script to generate a new certificate. This way we ensure security (no certificates in the base image), and usability (if we just remove the certificate, then https will not work by default as there is no certificate).<br><br></div><div></div><div><br></div><div>Regards,<br>-- <br><div dir="ltr" class="m_4039386078526929349gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alberto</span> <span>Gonzalez de Dios</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>OPENSHIFT PROACTIVE SUPPORT ENGINEER</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px">,  RHCE, RHCSA<br></span></p>
<p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:"overpass",sans-serif" href="https://www.redhat.com" target="_blank">Red Hat <span>EMEA</span></a></p>
<span style="font-size:10px;margin:0px;color:rgb(153,153,153)"><p style="font-size:10px;margin:0px">Paseo de la Castellana, 259C</p></span>
<span><p style="font-size:10px;margin:0px;color:rgb(153,153,153)">Madrid, Spain</p></span>
<p style="font-weight:normal;margin:0px 0px 6px;font-size:10px;color:rgb(153,153,153)"><span style="margin:0px;padding:0px">
<a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:"overpass",sans-serif" href="mailto:algonzal@redhat.com" target="_blank">algonzal@redhat.com</a>   </span>

</p>

<table border="0"><tbody><tr><td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" width="90" height="auto"></a> </td>
</tr></tbody></table>
<div style="font-weight:normal;font-size:10px">
<div style="color:rgb(153,153,153)"><a href="https://twitter.com/redhat" title="twitter" style="background:transparent url("https://www.redhat.com/files/brand/email/sm-twitter.png") no-repeat scroll 0px 50%/16px auto;height:20px;text-decoration:none;color:rgb(119,119,119);display:inline-block;line-height:20px;padding-left:16px" target="_blank">@RedHat</a>  
<a href="https://www.linkedin.com/company/red-hat" title="LinkedIn" style="background:transparent url("https://www.redhat.com/files/brand/email/sm-linkedin.png") no-repeat scroll 0px 50%/16px auto;height:20px;text-decoration:none;color:rgb(119,119,119);display:inline-block;line-height:20px;padding-left:16px" target="_blank">Red Hat</a>
  <a href="https://www.facebook.com/RedHatInc" title="Facebook" style="background:transparent url("https://www.redhat.com/files/brand/email/sm-facebook.png") no-repeat scroll 0px 50%/16px auto;height:20px;text-decoration:none;color:rgb(119,119,119);display:inline-block;line-height:20px;padding-left:16px" target="_blank">Red Hat</a> </div>

</div>
</div></div></div></div></div></div></div></div></div></div></div></div>
</div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>
<p style="font-weight:bold;margin:0;padding:0;font-size:14px;text-transform:uppercase;margin-bottom:0"><span>Alberto</span> <span>Gonzalez de Dios</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>OPENSHIFT PROACTIVE SUPPORT ENGINEER</span><span style="font-weight:normal;color:#aaa;margin:0">,  RHCE, RHCSA<br></span></p>
<p style="font-weight:normal;margin:0;font-size:10px;color:#999"><a style="color:#0088ce;font-size:10px;margin:0;text-decoration:none;font-family:'overpass',sans-serif" href="https://www.redhat.com" target="_blank">Red Hat <span>EMEA</span></a></p>
<span style="font-size:10px;margin:0px;color:rgb(153,153,153)"><p style="font-size:10px;margin:0">Paseo de la Castellana, 259C</p></span>
<span><p style="font-size:10px;margin:0;color:#999">Madrid, Spain</p></span>
<p style="font-weight:normal;margin:0px 0px 6px;font-size:10px;color:rgb(153,153,153)"><span style="margin:0px;padding:0px">
<a style="color:#0088ce;font-size:10px;margin:0;text-decoration:none;font-family:'overpass',sans-serif" href="mailto:algonzal@redhat.com" target="_blank">algonzal@redhat.com</a>   </span>

</p>

<table border="0"><tbody><tr><td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" width="90" height="auto"></a> </td>
</tr></tbody></table>
<div style="font-weight:normal;font-size:10px">
<div style="color:rgb(153,153,153)"><a href="https://twitter.com/redhat" title="twitter" style="background:url(https://www.redhat.com/files/brand/email/sm-twitter.png) 0%/16px transparent;height:20px;text-decoration:none;color:#777;display:inline-block;line-height:20px;padding-left:16px;background-repeat:no-repeat;background-position:0 50%" target="_blank">@RedHat</a>  
<a href="https://www.linkedin.com/company/red-hat" title="LinkedIn" style="background:url(https://www.redhat.com/files/brand/email/sm-linkedin.png) 0%/16px transparent;height:20px;text-decoration:none;color:#777;display:inline-block;line-height:20px;padding-left:16px;background-repeat:no-repeat;background-position:0 50%" target="_blank">Red Hat</a>
  <a href="https://www.facebook.com/RedHatInc" title="Facebook" style="background:url(https://www.redhat.com/files/brand/email/sm-facebook.png) 0%/16px transparent;height:20px;text-decoration:none;color:#777;display:inline-block;line-height:20px;padding-left:16px;background-repeat:no-repeat;background-position:0 50%" target="_blank">Red Hat</a> </div>

</div>
</div></div></div></div></div></div>