Db2

Hi,

This is my first post here. Is there a searchable issue tracker for db2 anywhere?

My question / bug report: Is there any way to supply the password for the database as a `secret` instead of as an environment variable?

Environment variables leak all over the place and are much less secure than secrets.

Secrets were introduced to docker in 2017 - ages ago in cloud lingo... Docker Engine release notes

It should be an easy fix in /var/db2_setup/lib/setup_db2_instance.sh or one of the scripts it sources...

Cheers,

Peter



------------------------------
Peter Mørch
------------------------------

#Db2

I think it is more or less a question for the ibm developers, but: secrets can only be used within a service / swarm (productive usage) -> created your own image based on ibmcom/db2 and access the secrets to set instance user password (and maybe additional ones for other OS users). for testing systems that do not use swarm/service you can execute the run command without a password given as parameter. the user will be created with generated 12 character long password (that is not exposed somewhere). therefore you will have to set it afterwards (could be included in you ansible / deployment scripts).

------------------------------
Markus Fraune
------------------------------

Original Message:
Sent: Thu September 17, 2020 02:54 PM
From: Peter Mørch
Subject: Bug report: Docker image should support DB2INST1_PASSWORD as *secret* not only as environment variable

Hi,

This is my first post here. Is there a searchable issue tracker for db2 anywhere?

My question / bug report: Is there any way to supply the password for the database as a `secret` instead of as an environment variable?

Environment variables leak all over the place and are much less secure than secrets.

Secrets were introduced to docker in 2017 - ages ago in cloud lingo... Docker Engine release notes

It should be an easy fix in /var/db2_setup/lib/setup_db2_instance.sh or one of the scripts it sources...

Cheers,

Peter



------------------------------
Peter Mørch
------------------------------

#Db2

Sure, it is not usable everywhere. That is true for very many configuration options. But the ability to use secrets when they are applicable is a vast improvement over environment variables.

Thanks for the pointer that instead of using the environment variable, I could just set it "the old fashioned way" post-creation.

------------------------------
Peter Mørch
------------------------------

Original Message:
Sent: Tue September 22, 2020 02:19 AM
From: Markus Fraune
Subject: Bug report: Docker image should support DB2INST1_PASSWORD as *secret* not only as environment variable

I think it is more or less a question for the ibm developers, but: secrets can only be used within a service / swarm (productive usage) -> created your own image based on ibmcom/db2 and access the secrets to set instance user password (and maybe additional ones for other OS users). for testing systems that do not use swarm/service you can execute the run command without a password given as parameter. the user will be created with generated 12 character long password (that is not exposed somewhere). therefore you will have to set it afterwards (could be included in you ansible / deployment scripts).

------------------------------
Markus Fraune

Original Message:
Sent: Thu September 17, 2020 02:54 PM
From: Peter Mørch
Subject: Bug report: Docker image should support DB2INST1_PASSWORD as *secret* not only as environment variable

Hi,

This is my first post here. Is there a searchable issue tracker for db2 anywhere?

My question / bug report: Is there any way to supply the password for the database as a `secret` instead of as an environment variable?

Environment variables leak all over the place and are much less secure than secrets.

Secrets were introduced to docker in 2017 - ages ago in cloud lingo... Docker Engine release notes

It should be an easy fix in /var/db2_setup/lib/setup_db2_instance.sh or one of the scripts it sources...

Cheers,

Peter



------------------------------
Peter Mørch
------------------------------

#Db2