James Armes  🍉Dec 12, 2024

How are other folks handling sensitive data in Docker container logs?

For example, if someone connects to a container and shows credentials or pulls up some user data (legitimate or otherwise).

Are you just scrubbing your logs thoroughly before indexing, or doing something to avoid the data hitting the logs at all?

#docker #containers #devops

Show threadSignalEleven
@jamesiarmes I'm trying to understand why docker is part of the question. Avoiding logging sensitive or secret data (and/or scrubbing it before forwarding it to some indexer) is a topic with or without docker in the picture.
I don't have a generic answer (I guess I avoid logging secrets when I can?) but I'm curious if I misunderstood the question.
Dec 12, 2024 at 4:31pmWeb
Show threadJames Armes  🍉Dec 23, 2024

@signaleleven sorry, not sure why I just got your notification.

By default, Docker logs everything sent to STDOUT, STDIN, or STDERR. So if someone say, cats a private key file, or echos a sensitive environment variable while connected to a container, that's now in the logs.

My question isn't whether sensitive data should be logged, it's how are others handling this specific case? Are you scrubbing your logs of this data? Using an alternative log driver? Something else entirely?

Show threadSignalElevenDec 23, 2024

@jamesiarmes it's not just docker that logs stdout/stderr. Many init systems do.
To me printing and logging are the same thing, so it's up to the program to avoid logging secrets. Scrubbing is a losing battle.

That being said, if you exec into a running container (open a shell) your actions and their output are not logged. Only stdout/stderr of the container command are logged so you have less to worry about 😊
Your question was very clear, my bad.