0

My question is related to my specific environment : I'm running a web application in a docker container and a database in another container.

I use docker compose to run both containers :

  • my web app is linked to a network shared with all other app containers and my proxy container (which is bound to host interface)
  • my database container is linked to a specific network only shared between my web app container and my database container

I already set a password authentication between both containers. But now, I looking backwards and I'm wondering if it's really useful in this context.

As the network between my app container and database container is built by docker, no other containers could connect on it and try to access my database. So why set a password ?

I guess my question is relative to the security provided by the docker specific network and I have actually no idea of how it works.

Any advices would be appreciate.

Plup
  • 161
  • 1
  • 7

1 Answers1

1

But now, I looking backwards and I'm wondering if it's really useful in this context.

Yes, absolutely. Why would you not use a password? The key to security is defense in depth. Sure, your database may be protected by several different levels of firewalls, but it is still advisable to use a password. Credentials are trivial to create and manage, there's really no downside.

I guess my question is relative to the security provided by the docker specific network and I have actually no idea of how it works.

That is a very large red flag. If you have no idea how a certain technology works: 1) you're not in a position to make assumptions about how secure it is and 2) you should not be using that technology until you understand it.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • I prefer UNIX socket authentication on localhosts. –  Jun 18 '16 at 18:15
  • @Igor Cool story, bro. :) You still need a password when using sockets. Not sure what your comment is adding here. – EEAA Jun 18 '16 at 18:17
  • @EEAA I would not use a password because it's not trivial to change in the infrastructure and I prefer to not have one and rely on antoher security element to compensate than relying on an outdated password. And I'm actually building a test infrastructure to audit security in docker. So any information on that would help me. – Plup Jun 18 '16 at 18:18
  • If it's not trivial to manage credentials in your environment, then you're doing it wrong. Ask *any* sysadmin/dba that has any amount of experience in this and they will agree. You asked "do we need passwords", and now you have your answer. – EEAA Jun 18 '16 at 18:20
  • @Igor unix socket would support asymetric key authentication ? – Plup Jun 18 '16 at 18:21
  • @EEAA I may take it wrong, but I'm tired of such agressive answers when it comes to security. Password is not an awser for everything, and I'm actually intenting to ban passwords from my architecture. – Plup Jun 18 '16 at 18:26
  • @Tymk You're entitled to your opinion. You asked on a site for professional sysadmins, so you should expect a professional answer. Using an un-authenticated service when it's trivial to use authentication does not fall under the "professional" bucket. Now, if you're actually asking about using passwords versus key/certificate auth, then that's a completely different matter, and is not what you asked about. – EEAA Jun 18 '16 at 18:30
  • @EEAA I agree with you. I was more expecting an answer about the docker network isolation in order to choose what service should have an authentication and which on could be left opened in regards of the confidentiality they need. – Plup Jun 18 '16 at 18:34
  • Well that's not the question you asked. If you'd like to ask another question around that topic, I think it could make for an interesting QA. As to your point about authentication, if it's possible, you should use it, regardless of how the technology is implemented, deployed, or firewalled. – EEAA Jun 18 '16 at 18:37
  • No, I don't need password with socket authentication. Any local service is running under separate user. https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html. It's even more convenient with postgres. –  Jun 19 '16 at 08:49