ssh credentials in docker image

Question

I have an application running properly with docker-compose up. That application connects using SSH to my host machine and executes some commands. Right now I provide the SSH credentials by writing them in the source code like this:

const pass = 'mypassword';
let username = 'myusername';
let host = '172.17.0.1';

I 'm trying to follow this guide in order to provide the credentials in a better way. I cannot understand how this line works privateKey: require('fs').readFileSync('/here/is/my/key') Is it a relative path, is the "key" a file with the password as plain text? Is there something I should provide from my host machine? How can I give the credentials in a docker container?

Answer 1

In general, to pass in parameters into a container to be read by your Node.js script, you can:

• Leverage environment variables (https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file)
• Mount a directory from the host system into the running container using volumes (https://docs.docker.com/storage/volumes/)
• Pass them as parameters (How to pass arguments to Shell Script through docker run).
• Download them from a remote server

For secret data such as SSH credentials, I would advise against using arguments or environment variables because they can be inspected from various sources. This article explains well why: https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/

Instead, I would create a simple configuration file that your Node.js script can read.

{
   "username": "myuser",
   "password": "pass",
   "host": "172.17.0.1",
   ...
}

You can put this file a directory on your host system and mount it under /myvolume to the container when you start your container:

docker run -it -v host-directory:/myvolume myimage

Your Node.js script now can read the JSON file:

const configFilePath = "/myvolume/secret-config.json"
const config = JSON.parse(fs.readFileSync(configFilePath));

// now you can use config.host, config.username and config.password

As a side note: I recommend setting up your remote SSH server to use private/public key authentication since passwords generally less secure. Once you have set up private/public key authentication, you can put the private key file in the same volume and load it from your Node.js script in a similar way :)