I have a Docker swarm and I would like to use a secret RSA key in a service to connect via SSH to another container.
My security policy is that all the secrets (passwords, keys, etc.) are stored on a different machine than the destination servers (the Swarm).
Actually (and I don't like it), in my Dockerfile I create a temporary directory /run/secrets:
mkdir -p /run/secrets
Then I create fake id_rsa and id_rsa.pub files:
touch /run/secrets/id_rsa
touch /run/secrets/id_rsa.pub
And now I create a symbolic link:
ln -s /run/secrets/id_rsa /root/.ssh/id_rsa
ln -s /run/secrets/id_rsa.pub /root/.ssh/id_rsa.pub
I'm doing this because I didn't find a way to copy the secrets in my docker-entrypoint.sh: in the entrypoint I'm not root so I can't copy in the /root directory.
So, I'm already using Docker secrets but the problem here is that the secrets inside the containers are in read-only. That impacts the usage of SSH:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0444 for '/root/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
I can't modify the permissions of my id_rsa file since it's read-only.
Is there a workaround or just a really better way to do it ?
Thanks
EDIT 1:
I'm trying to change the way I build my Docker image in order to copy keys in the /root/.ssh directory.
Consider creating a stack with a compose file. This gives you the option to alter the file permissions of your secrets.
version: "3.1"
services:
redis:
image: redis:latest
deploy:
replicas: 1
secrets:
- source: my_secret
target: redis_secret
uid: '103'
gid: '103'
mode: 0440
secrets:
my_secret:
file: ./my_secret.txt
my_other_secret:
external: true
More info can be found here: https://docs.docker.com/compose/compose-file/#long-syntax-2