How to create a secret docker secret?

Question

I need create a MariaDB docker container, but need set the root password, but the password is set using a argument from the command line, it is very dangerous for the storage in the .bash_history.

I try use secrets using print pass | docker secret create mysql-root -, but have the same problem, the password is saved into .bash_history. The docker secret is not very secret.

I try use an interactive command:

while read -e line; do printf $line | docker secret create mysql-root -; break; done;

But, is very ugly xD. Why is a beter way to create a docker secret without save it into bash history but without remove all bash history?

Answer 1

The simplest way I have found is to use the following:

docker secret create private_thing -

Then enter the secret on the command line, followed by Ctrl-D twice.

Answer 2

You could try

printf $line | sudo docker secret create MYSQL_ROOT_PASSWORD -

and then

docker run --name some-mysql -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-root -d mariadb:tag

The information concerning using secrets with MariaDB can be found on the MariaDB page of DockerHub.

"Docker Secrets As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/<secret_name> files. For example:

$ docker run --name some-mysql -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-root -d mariadb:tag

Currently, this is only supported for MYSQL_ROOT_PASSWORD, MYSQL_ROOT_HOST, MYSQL_DATABASE, MYSQL_USER, and MYSQL_PASSWORD"

Answer 3

You can use openssl rand option to generate a random string and pass to docker secret command i.e

openssl rand -base64 10| docker secret create my_sec -

The openssl rand option will generate 10 byte base64 encoded random string.