I'm using supervisor to monitor a gunicorn process for a Django application. My config:
[program:app]
environment=
SETTINGS="%(ENV_SETTINGS)s",
DB_NAME="%(ENV_DB_NAME)s",
DB_PASS="%(ENV_DB_PASS)s",
DB_USER="%(ENV_DB_USER)s",
EMAIL_HOST_PASSWORD="%(ENV_EMAIL_HOST_PASSWORD)s",
SECRET_KEY="%(ENV_SECRET_KEY)s"
command=/home/app/bin/gunicorn_start
user=username
autostart=true
autorestart=true
redirect_stderr=true
stdout_logfile=/home/app/logs/gunicorn-error.log
I have the environment variables defined in /etc/bashrc. These variables contain sensitive data (per recommendation of the "Two Scoops of Django" book to store them in the environment) I have verified with the env command that my variables are present in the environment.
Supervisor is throwing an error that it can not access my environment variables:
ERROR: CANT_REREAD: Format string '\nSETTINGS="%(ENV_SETTINGS)s"...' for 'environment' contains names ('ENV_SETTINGS') which cannot be expanded. Available names: ENV_HOME, ENV_LANG, ENV_LOGNAME, ENV_PATH, ENV_SHELL, ENV_USER, group_name, here, host_node_name, process_num, program_name in section 'program:app' (file: '/etc/supervisord/supervisord.conf')
This problem has been described before (link). When launched as a service, supervisor can not access variables defined in shell configuration files by a particular user. Indeed those variables that it lists as available are just a small subset of what is available to me if I run the env command.
Where should I define my secrets as env variables? Should I take them out of /etc/bashrc and define them in the supervisor config file? Or in the gunicorn_start script even (/home/app/bin/gunicorn_start)?
