14

I put the docker in swarm mode and did the following

echo "'admin'" | docker secret create password -
docker service create \
--network="host" \
--secret source=password,target=password \
-e PASSWORD='/run/secrets/password' \
<image>

I was not able to pass the password secret created via environment variable through docker service.

Please help me out where I am going wrong.

philnash
  • 70,667
  • 10
  • 60
  • 88
Satyanvesh Muppaneni
  • 205
  • 2
  • 4
  • 11

2 Answers2

11

You are misunderstanding the concept of docker secrets. The whole point of creating secrets is avoiding putting sensitive information into environment variables.

In your example the PASSWORD environment variable will simply carry the value /run/secrets/password which is a file name and not the password admin.

A valid usecase of docker secrets would be, that your docker-image reads the password from that file. Checkout the docs here especially the example about MySQL:

the environment variables MYSQL_PASSWORD_FILE and MYSQL_ROOT_PASSWORD_FILE to point to the files /run/secrets/mysql_password and /run/secrets/mysql_root_password. The mysql image reads the password strings from those files when initializing the system database for the first time.

In short: your docker image should read the content of the file /run/secrets/password

Martin Peck
  • 11,440
  • 2
  • 42
  • 69
Fabian Braun
  • 3,612
  • 1
  • 27
  • 44
  • What can be the best way to achieve what i am looking for – Satyanvesh Muppaneni Sep 25 '18 at 08:29
  • In here my mysql is running locally on operating systems not on image – Satyanvesh Muppaneni Sep 25 '18 at 09:38
  • 1
    How to let environment variable use the content inside file where the secret key is stored – Satyanvesh Muppaneni Sep 27 '18 at 08:06
  • 15
    @fab I disagree, the whole point of secrets is to avoid storing sensitive information inn anything that might be distributed or stored in version control systems, such as config files or docker images. [Kubernetes supports passing secrets to env variables as a basic use case.](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets) – RAM Oct 12 '19 at 19:06
  • 1
    @RAM I'm only referring to _docker_ secrets here. [The docs](https://docs.docker.com/engine/swarm/secrets/) state: Docker secrets do not set environment variables directly. This was a conscious decision, because environment variables can unintentionally be leaked between containers. – Fabian Braun Oct 12 '19 at 21:03
8

There is no standard here.

Docker docs discourages using environment variables, but there is confusion whether it is setting password directly as string in "environment" section or other usage of environment variables within container. Also using string instead of secret when same value might be used in multiple services requires checking and changing it in multiple places instead of one secret value.

Some images, like mariadb, is using env variables with _FILE suffix to populate suffixless version of variable with secret file contents. This seems to be ok.

Using Docker should not require to redesign application architecture only to support secrets in files. Most of other orchestration tools, like Kubernetes, supports putting secrets into env variables directly. Nowadays it is rather not considered as bad practice. Docker Swarm simply lacks good pracitces and proper examples for passing secret to env variable.

IMHO best way is to use entrypoint as a "decorator" to prepare environment from secrets.

Proper entrypoint script can be written as almost universal way of processing secrets, because we can pass original image entrypoint as argument to our new entrypoint script so original image "decorator" is doing it's own work after we prepare container with our script.

Personally I am using following entrypoint with images containing /bin/sh: https://github.com/DevilaN/docker-entrypoint-example

DevilaN
  • 1,317
  • 10
  • 21
  • That script is very interesting, but hard to understand. Are there any docs to learn more? – lonix Jul 03 '23 at 02:35
  • @lonix if you have any questions regarding my entrypoint script then feel free to ask them on github repo page and I will gladly answer. – DevilaN Jul 04 '23 at 08:24