Investigate and secure containers spawned by sqlcmd

Question

Investigate and secure containers spawned by sqlcmd

apoorvdeshmukh opened this issue a year ago · comments

Sql server instances spawned by sqlcmd should provide support for encrypted connections.
This doc describes how the containers can be secured.
This is also helpful in testing.

Apoorv Deshmukh · Answer 1 · Mon Sep 04 2023 16:06:26 GMT+0800 (China Standard Time)

Following is the summary.
SQL Server can be configured to run with self-signed certificates using this doc.
The certificates can be put inside container image by mounting host drive onto container instance at run time., using -v <hostPath>:<containerPath> in docker run command.
The certificate itself can be generated and configured within container using openssl and /opt/mssql/bin/mssql-conf

Below are the example commands

docker run -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=<redacted>" -p 5433:1433 --name localhost --hostname localhost -v C:\Users\user\Desktop\certs:/home/certs -d mcr.microsoft.com/mssql/server:2022-latest

C:\Users\user\Desktop>docker ps
CONTAINER ID   IMAGE                                        COMMAND                  CREATED         STATUS         PORTS                    NAMES
8707870c67bb   mcr.microsoft.com/mssql/server:2022-latest   "/opt/mssql/bin/perm…"   4 seconds ago   Up 4 seconds   0.0.0.0:5433->1433/tcp   localhost

docker exec -it -u root 8707870c67bb bash

chown mssql mssql.*
/opt/mssql/bin/mssql-conf set network.tlscert /etc/ssl/certs/mssql.pem
/opt/mssql/bin/mssql-conf set network.tlskey /etc/ssl/private/mssql.key
/opt/mssql/bin/mssql-conf set network.tlsprotocols 1.2
/opt/mssql/bin/mssql-conf set network.forceencryption 0

Apoorv Deshmukh · Answer 2 · Mon Sep 04 2023 16:07:31 GMT+0800 (China Standard Time)

Currently, TDS8 connections don't work against SQL Server on linux. Will revisit this once this is supported.