docker-compose secrets without swarm

About

Asked 12/12, 2018 at 20:53 Answered 12/12, 2018 at 22:0

Solved docker docker-compose docker-secrets

I don't want to use docker secrets with swarm and I discovered that it's possible to do that. Basically docker just mounts /run/secrets inside docker container, but when I enter the newly built docker container and do echo $POSTGRES_PASSWORD_FILE I get the path to my secret file.

root@94a0f092eeb1:/# echo $POSTGRES_PASSWORD_FILE
/run/secrets/db_password

Here is my docker-compose.yml file

version: '3.1'
services:
    postgres:
        image: postgres:9.4
        container_name: postgres
        environment:
            POSTGRES_USER: "db_user"
            POSTGRES_PASSWORD_FILE: /run/secrets/db_password
            POSTGRES_DB: "my_db"
        secrets:
          - db_password
        volumes:
            - ./postgres:/var/lib/postgresql/data
        expose:
            - 5432
secrets:
   db_password:
     file: ./POSTGRES_PASSWORD.txt

Is my password set correctly/ Is there something wrong with my file?

Sparing answered 12/12, 2018 at 20:53 Comment(1)

Hello! Not sure, what is the issue here? What do you expect from "echo $POSTGRES_PASSWORD_FILE"? – Bearnard 6/7, 2020 at 5:42

Ok, so all I had to do is to remove

volumes:
    - ./postgres:/var/lib/postgresql/data

I'll try to figure out how to fix it, but essentially I answered my own question.

Here is a working example of docker-compose.yml file with secrets without using docker swarm:

version: '3.1'
services:
    postgres:
        image: postgres:9.4
        container_name: postgres
        environment:
            POSTGRES_USER: "db_user"
            POSTGRES_PASSWORD_FILE: /run/secrets/db_password
            POSTGRES_DB: "my_db"
        secrets:
          - db_password
        ports:
            - "8888:5432"
secrets:
   db_password:
     file: ./POSTGRES_PASSWORD

Sparing answered 12/12, 2018 at 22:0 Comment(7)

@stackoverflowed: From security perspective, not too secure. Just wanted to know if it's possible to do all of this without docker swarm – Sparing 21/2, 2019 at 10:1

it also means that you can now push your docker-compose.yml in your git repo without your password in it – Whitefish 16/5, 2019 at 13:8

I'm interested in the concept. It seems that the same could be accomplished through a .env file in .gitignore. The more interesting question is how to share these secrets with your team. – Kinson 21/10, 2019 at 19:2

In all the examples I have gone through never found a sample for secret file for multiple secrets key-value pair. Is this a possibility for multiple parameters in one secret file? – Cavefish 5/5, 2020 at 12:40

@JinnaBalu unless the image you’re using supports reading multiple parameters from one file / env variable, no. – Lorou 5/1, 2022 at 11:0

It should support – Cavefish 5/1, 2022 at 13:29

This works but the local file has to have very broad permissions to ensure that the Postgres container user can read it. That defeats the purpose of making it secret. – Detrain 12/4, 2022 at 12:0

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags