[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[scl.org] Bug 1687922 - httpd container image contains private key localhost.key and localhost.crt



HI,

I've just opened bug 1687922 "httpd container image contains private key localhost.key and localhost.crt".

--
When using the RedHat image for httpd (from https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/httpd-24-rhel7/images/2.4-85), a private key for a certificate is stored in path /etc/pki/tls/private/localhost.key. The RedHat Container Image Guideline (https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines) states that:

```
It is also possible and recommended to pass secrets such as certificates and keys into the container using environment variables. This ensures that the secret values do not end up committed in an image and leaked into a Docker registry.
```
--

Now all the containers based on rhscl/httpd-24-rhel7 have the same certificate (private key and cert). And this is a high security risk.

I think the best solution is to remove the certificate in the base image, and create a init script to generate a new certificate. This way we ensure security (no certificates in the base image), and usability (if we just remove the certificate, then https will not work by default as there is no certificate).


Regards,
--

Alberto Gonzalez de Dios

OPENSHIFT PROACTIVE SUPPORT ENGINEER, RHCE, RHCSA

Red Hat EMEA

Paseo de la Castellana, 259C

Madrid, Spain

algonzal redhat com   



--

Alberto Gonzalez de Dios

OPENSHIFT PROACTIVE SUPPORT ENGINEER, RHCE, RHCSA

Red Hat EMEA

Paseo de la Castellana, 259C

Madrid, Spain

algonzal redhat com   


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]