'docker can someone see the files in the image layers if the docker image is pulled from repo
I have hosted a docker image on the gitlab repo.
I have some sensitive data in one of the image layers.
Now if someone pulls the image, can he sees the sensitive date on the intermediate layer.
Also can he know the Dockerfile commands I have used for the image.
I want the end user to only have the image and dont have any other info about its Dockerfile
But atleast i dont want him to see the intermediate files
Solution 1:[1]
- You can use multi-stage builds,
manage secrets in an intermediate image layer that is later disposed off ,so that no sensitive data reaches the final image build.
such as in the following example:
FROM: ubuntu as intermediate
WORKDIR /app
COPY secret/key /tmp/
RUN scp -i /tmp/key build@acme/files .
FROM ubuntu
WORKDIR /app
COPY --from intermediate /app .
Another options to maintain secret are
docker secret: you can use docker secret if you are using docker swarmsecretsin docker-compose file (without swarm)
version: "3.6"
services:
my_service:
image: centos:7
entrypoint: "cat /run/secrets/my_secret"
secrets:
- my_secret
secrets:
my_secret:
file: ./super_duper_secret.txt
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 |