[scl.org] Bug 1687922 - httpd container image contains private key localhost.key and localhost.crt
Alberto Gonzalez de Dios
algonzal at redhat.com
Tue Mar 12 16:28:37 UTC 2019
HI,
I've just opened bug 1687922 "httpd container image contains private key
localhost.key and localhost.crt".
--
*When using the RedHat image for httpd (from
https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/httpd-24-rhel7/images/2.4-85
<https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/httpd-24-rhel7/images/2.4-85>),
a private key for a certificate is stored in path
/etc/pki/tls/private/localhost.key. The RedHat Container Image Guideline
(https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines
<https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines>)
states that:```It is also possible and recommended to pass secrets such as
certificates and keys into the container using environment variables. This
ensures that the secret values do not end up committed in an image and
leaked into a Docker registry.```*
--
Now all the containers based on rhscl/httpd-24-rhel7 have the same
certificate (private key and cert). And this is a high security risk.
I think the best solution is to remove the certificate in the base image,
and create a init script to generate a new certificate. This way we ensure
security (no certificates in the base image), and usability (if we just
remove the certificate, then https will not work by default as there is no
certificate).
Regards,
--
Alberto Gonzalez de Dios
OPENSHIFT PROACTIVE SUPPORT ENGINEER, RHCE, RHCSA
Red Hat EMEA <https://www.redhat.com>
Paseo de la Castellana, 259C
Madrid, Spain
algonzal at redhat.com
<https://red.ht/sig>
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
--
Alberto Gonzalez de Dios
OPENSHIFT PROACTIVE SUPPORT ENGINEER, RHCE, RHCSA
Red Hat EMEA <https://www.redhat.com>
Paseo de la Castellana, 259C
Madrid, Spain
algonzal at redhat.com
<https://red.ht/sig>
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/sclorg/attachments/20190312/1a58d7c3/attachment.htm>
More information about the SCLorg
mailing list