Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a password generator for secure passwords #65

Open
kowh-ai opened this issue Jul 10, 2023 · 2 comments · May be fixed by #76
Open

Use a password generator for secure passwords #65

kowh-ai opened this issue Jul 10, 2023 · 2 comments · May be fixed by #76
Assignees
@kowh-ai

Comments

@kowh-ai
Copy link
Contributor

kowh-ai commented Jul 10, 2023
edited

Passwords are hardcoded in the .env file which is then used by docker compose to populate environment variables used in the running containers. These passwords are therefore pretty insecure. Therefore I propose to create a process to generate random secure passwords before the local images are built and before the containers start

The following environment variables will use the passwords generated

  1. POSTGRES_PASSWORD
  2. CKAN_DB_PASSWORD
  3. DATASTORE_READONLY_PASSWORD
  4. CKAN_SYSADMIN_PASSWORD

The passwords will be housed in a newly generated file which will have it's permissions locked down to just read-only by the file owner. This file (named .pw) can then be added to both ckan and db services in the docker-compose.yml file as follows:

Screenshot 2023-07-10 at 2 47 15 pm
@kowh-ai kowh-ai self-assigned this Aug 2, 2023
@kowh-ai kowh-ai linked a pull request Aug 16, 2023 that will close this issue
Open
@pwalsh
Copy link
Member

pwalsh commented Jan 30, 2024

I originally commented in #76 (comment) but this is probably better:

If we are doing this work on random passwords, to bypass having passwords in .env files, perhaps it is worth exploring the docker solution for secrets, which works with docker compose:

https://docs.docker.com/compose/use-secrets/

@pwalsh
Copy link
Member

pwalsh commented Jan 31, 2024
edited

@kowh-ai I looked into this a bit more based on #76 (comment)

I have not implemented this myself .... but according to what I understand from:

It does work in some manner in docker compose - not as secure as the docker swarm implementation; not less secure than using .env files.

Anyway, food for thought.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kowh-ai kowh-ai

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Docker Compose option to generate random passwords ckan/ckan-docker
2 participants
@pwalsh @kowh-ai