5

Issue:

In a non-docker solution, the SSL certificates can be located in /etc/pki/CA/.... and with references to these in /etc/httpd/conf.d/*.conf files. How must these SSL certificates be managed/placed/used in a docker image for a secure apache httpd server and not being part of the docker image?

Goal:

Create a docker image for a secure apache httpd server using provided SSL certificates.

Ideas how to solve this:

Docker volumes might solve it by mounting the certificates from the host to the image by use of docker run -v /HOST/SSL/PATH:/CONTAINER/SSL/PATH, which then can be referenced from within the image.

Is this the way to go, or can this issue be solved in another way?

Dev Dev
  • 65
  • 6
  • Set the certs up in a git repo, clone them as part of a build script? – NickW Nov 20 '14 at 12:48
  • Such a docker image can not be reused as the SSL certificates will be static files in the image itself. The image is no longer a general image, but a specific image which can only be used in a specific contest – Dev Dev Nov 20 '14 at 12:55

2 Answers2

2

You can also create a named data volume as follows. I will use a directory named /usr/local/apache/SSL in this example.

  1. Create an empty directory /usr/local/apache/SSL in your apache container and commit
  2. Startup a new base container for your data volume and create the same empty directory /usr/local/apache/SSL (may need to create /usr/local/apache first)
  3. Commit the container created in step 2: docker commit CONTAINER_ID data/apachessl:latest)
  4. Create the named data volume container: docker run --name=DATAmyApacheSSLCerts -v /usr/local/apache/SSL data/apachessl true
  5. Copy your SSL certificate to /usr/local/apache/SSL using a "disposable container" to put them there: docker run -it --rm=true --volumes-from=DATAmyApacheSSLCerts APACHE_CONTAINER /bin/bash
  6. Spin up your "true" apache image but mount the data volume by adding --volumes-from=DATAmyApacheSSLCerts to your run command for the apache image

Now any changes you make to /usr/local/apache/SSL directory will persist until you delete the DATAmyApacheSSLCerts instance.

Busybox images make great data volumes due to their extremely small size.

You will probably want to adjust your data volume and add your conf directory as well so that changes persist but do not change the base image. Just create the conf directory in your data image as well, copy over the files from a base apache install and add another -v flag for the conf directory.

**NOTE: You need to have a directory in your main image that corresponds to the one being shared in your data volume.

Pablo
  • 320
  • 1
  • 6
  • Seems as a solid solution. I will try it out before accepting. One question: I am not fully sure, but will persistent data in a data image be push if one accidently pushes the image to some registry? – Dev Dev Nov 21 '14 at 09:35
  • I have tried the solution. I am still unsure if I will store the SSL certificates in a named docker data volume or fetching them during run with use of the -v option. Anyways. This is a good answer. – Dev Dev Nov 21 '14 at 11:47
0

If you don't want them as part of the docker image, then a volume mounting them from the host is indeed a good way to go.

Bryan
  • 334
  • 2
  • 8