Docker secrets passing as environment variable
Asked Answered
U

2

15

I put the docker in swarm mode and did the following

echo "'admin'" | docker secret create password -
docker service create \
    --network="host" \
    --secret source=password,target=password \
    -e PASSWORD='/run/secrets/password' \
    <image>

I was not able to pass the password secret created via the environment variable through docker service.

Please help me out where I am going wrong.

Ulpian answered 25/9, 2018 at 7:0 Comment(0)
S
14

You are misunderstanding the concept of docker secrets. The whole point of creating secrets is avoiding putting sensitive information into environment variables.

In your example the PASSWORD environment variable will simply carry the value /run/secrets/password which is a file name and not the password admin.

A valid usecase of docker secrets would be, that your docker-image reads the password from that file. Checkout the docs here especially the example about MySQL:

the environment variables MYSQL_PASSWORD_FILE and MYSQL_ROOT_PASSWORD_FILE to point to the files /run/secrets/mysql_password and /run/secrets/mysql_root_password. The mysql image reads the password strings from those files when initializing the system database for the first time.

In short: your docker image should read the content of the file /run/secrets/password

Schwenk answered 25/9, 2018 at 7:20 Comment(5)
What can be the best way to achieve what i am looking forUlpian
In here my mysql is running locally on operating systems not on imageUlpian
How to let environment variable use the content inside file where the secret key is storedUlpian
@fab I disagree, the whole point of secrets is to avoid storing sensitive information inn anything that might be distributed or stored in version control systems, such as config files or docker images. Kubernetes supports passing secrets to env variables as a basic use case.Lyndialyndon
@Lyndialyndon I'm only referring to docker secrets here. The docs state: Docker secrets do not set environment variables directly. This was a conscious decision, because environment variables can unintentionally be leaked between containers.Schwenk
R
8

There is no standard here.

Docker docs discourages using environment variables, but there is confusion whether it is setting password directly as string in "environment" section or other usage of environment variables within container. Also using string instead of secret when same value might be used in multiple services requires checking and changing it in multiple places instead of one secret value.

Some images, like mariadb, is using env variables with _FILE suffix to populate suffixless version of variable with secret file contents. This seems to be ok.

Using Docker should not require to redesign application architecture only to support secrets in files. Most of other orchestration tools, like Kubernetes, supports putting secrets into env variables directly. Nowadays it is rather not considered as bad practice. Docker Swarm simply lacks good pracitces and proper examples for passing secret to env variable.

IMHO best way is to use entrypoint as a "decorator" to prepare environment from secrets.

Proper entrypoint script can be written as almost universal way of processing secrets, because we can pass original image entrypoint as argument to our new entrypoint script so original image "decorator" is doing it's own work after we prepare container with our script.

Personally I am using following entrypoint with images containing /bin/sh: https://github.com/DevilaN/docker-entrypoint-example

Reface answered 17/11, 2021 at 14:21 Comment(2)
That script is very interesting, but hard to understand. Are there any docs to learn more?Leap
@Leap if you have any questions regarding my entrypoint script then feel free to ask them on github repo page and I will gladly answer.Reface

© 2022 - 2024 — McMap. All rights reserved.