Ability to provide auth keys within file
Closed this issue · 4 comments
Currently, we can only provide auth keys via docker command, I hope I can have a file to store all my auth keys (per key per line), so I can update keys by modifying this file easily.
I don't want to introduce concepts like "databases" because this project is relatively small, and I don't want it to become bloated.
I personally feel that normal people don't really have a frequent need to change Auth Keys. If you have multiple Auth Keys, it's supported currently. Also, the current code will automatically select the valid Auth Key. You can choose to pass it through the command line or use Docker environment variables, separated only by commas in English mode.
@missuo Similar to MYSQL_ROOT_PASSWORD, provide keys/tokens directly will never be a good choose.
https://dev.mysql.com/blog-archive/docker-secrets-and-mysql-password-management/
Specifying the password directly using MYSQL_ROOT_PASSWORD is the least secure option. When running a Docker container, its environment variables are exposed to both the host system and to the container itself, leaving the password at very high risk of exposure. We’ll leave it as an exercise for the reader to find out how and why; suffice it to say that we strongly discourage this way of doing it in any kind of setting where security is of any concern whatsoever.
https://dev.mysql.com/blog-archive/docker-secrets-and-mysql-password-management/
I think you need to read this article carefully. The reason for doing so is that it is written in the environmental variables only because any value in the environmental variables is visible to both the host machine and the container.
However, this is not for your convenience to change the password. I think no one will change the ROOT password of MYSQL frequently.
BTW, if someone can connect to your server, I think it will be easy for them to see what you have written in the environmental variables or specified in a file, which is essentially no different.
Moreover, this is an open-source project, and as the maintainer of this project, I have the right and obligation to evaluate whether to support or not support a new feature.
In my opinion, the requirements you submitted above are completely unnecessary. If this is your habit of use, you can modify the code and compile it yourself. This project follows the MIT License, and you can do anything you want.
However, this is not for your convenience to change the password. I think no one will change the ROOT password of MYSQL frequently.
I think only it will be enough if this project can support load once from file feature, to change, we can just rebuild/reboot the container.
BTW, if someone can connect to your server, I think it will be easy for them to see what you have written in the environmental variables or specified in a file, which is essentially no different.
Not just for this scenario, for example, many people are using NAS system (e.g., Synology DSM) to run docker containers, and when they want to have technical support, the generated log zip file as they need to upload will commonly include all docker config files - which contains all tokens/keys, which may cause problems.
In my opinion, the requirements you submitted above are completely unnecessary. If this is your habit of use, you can modify the code and compile it yourself. This project follows the MIT License, and you can do anything you want.
I may, this feature shouldn't be very hard to add.