add logging warning to paranoid.md

Update documentation with logging warning; closes #189 .
2016-12-31 01:27:28 -05:00 · 2016-12-31 01:27:28 -05:00 · 6028a2b5b7
commit 6028a2b5b7
parent 9d1c90cde7
1 changed files with 8 additions and 0 deletions
--- a/docs/paranoid.md
+++ b/docs/paranoid.md
@ -36,6 +36,14 @@ EasyRSA will generate 4096 bit RSA keys when the `-e EASYRSA_KEY_SIZE=4096` argu
    docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
    docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass

+## Logging and stdout
+
+Because you are running within Docker, remember that any command that generates output to stdout may also log that output through Docker's log-driver mechanism. That may mean that e.g. keying material generated by `ovpn_getclient` will be logged somewhere that you don't want it to be logged.
+
+A simple way to avoid having Docker log output for a given command is to run with `--log-driver=none`, e.g
+
+    docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient USER > USER.ovpn
+
 ## Additional Resources

 Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.