this post was submitted on 14 Aug 2023
19 points (95.2% liked)
Docker
1104 readers
1 users here now
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Docker has a secrets feature where you can mount a file containing a password into the container. It is not recommended to use environment variables because anyone outside the container can read the environment variables of a process. Then, the idea is that your service should support reading the secret from a file. Most services support it and if they don't you should open an issue because that's the current accepted practice
For services that don't support file secrets, it's possible to assign them to ENV variables and export them before app bootstrap (so pre-entrypoint of sorts) and build a custom docker image. That's what I did for GL runner.
Create your own entrypoint file. Read secret path from an ENV. Read file and assign to an ENV. The ENV containing the secret valie is not visible from the outside. If the service does not support ENV variable secret (like aforementioned GL runner) then it's possible to use the env in a config file and an
envsubst
in the same entrypointIf the value is still passed as an environment variable in the end, it can be read via
/proc/:pid/environ
from another container or from the host if they are both using the same UID (or has--cap-add SYS_PTRACE
)Oh, didn't think about that. Well, at least it works.