Hello Jurijs,
Thank you for the link, Docker secrets is definitely something that would be an option, and yes, holding anything in a variable or somewhere it can be easily queried isn’t going to work.
We’ll see what happens.
Cheers - Robert...
On 16 Nov 2017, at 10:41, Jurijs Ivolga jurijs.ivolga@gmail.com wrote:
Hi,
Not sure that this helps, but below is how I solved similar issue by generating include file inside Docker file using env variables, but this is not a good approach for sensitive data. echo "\ <>modparam("http_client", "httpcon", "apiserver=>https://$apiurl%5C"); \ <>" >> /kamailio.apiurl I believe you can use docker secrets, as described below, but I never used them so I can't help much:
https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-... https://medium.com/@basi/docker-environment-variables-expanded-from-secrets-8fa70617b3bc
With kind regards,
Jurijs
On Thu, Nov 16, 2017 at 11:34 AM, Daniel Tryba <d.tryba@pocos.nl mailto:d.tryba@pocos.nl> wrote: On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
...
My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
you can define a for a token to be used inside kamailio.cfg by using -A command line parameter. So when you start kamailio, fetch the password from your secure system by what so ever meaning, then build the database url based on it and run kamailio with:
kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
My guess is the next problem will be the password being visible to all users querying the processlist :)
Is including a file (import_file) with passwords an option? Generate the file just before startup, remove it (ofcourse in a secure way (shred the file and overwrite all freespace with a multiple patters a few dozen times (ask the auditors for the exact specifications that make them happy))) after kamailio is running.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users