1

I am building out my product environments using Docker and want to make sure my secrets and keys are secure. To do so, I would like to use .env files. For convenience sake, I would like to avoid dealing with Docker secrets.

For local development I am using OpenFaas which requires the image be pushed to Docker Hub for use with k3s OpenFaas. I am concerned that the Docker Hub image may contain the variables from the .env file used with docker-compose.yaml.

Are the environment variables included in the Docker Hub image repository?

The docs and This stack overflow response suggest that environment variables are only used at "runtime", which I understand to mean they are not included. That should mean only someone with admin access to the server would be able to inspect the image for the secrets. Am I wrong in this assumption? Should I be using Docker secrets?

Update 08/19/21

Through testing I feel more confident that the .env variables are not included in the image on Docker Hub. Note I am using OpenFaas faas-cli to handle docker deployment. To test this I did the following:

  1. Comment out the environment_file: section of the .yml file
  2. Upload the image using faas-cli up <functions>.yml (this part builds and pushes the docker image to a Docker Hub repository, then deploys the OpenFaas function)
  3. Invoke the function. The function simply returns the environment variable. With the environment variables "commented out" of the .yml file, the function returns "undefined" meaning the variable is not available to the function.

This gave me some confidence, but not as much as I'd like, so next I did the following:

  1. Uncomment the environment_file: section of the .yml file
  2. Run the command faas-cli up -f <functions>.yml --no-cache --skip-push.
  3. Invoke the function

--no-cache ensures that the image is pulled fresh, --skip-push skips the part where the docker image is pushed to the Docker Hub repository. Thus the "build" of the image should use the image created with the "environment_file" commented out, but now "run" with the environment_file uncommented on the local .yml file.

After invoking the function this time, the variable is available and returns appropriately. As long as my interpretation of how the build, push, and deploy portions of the faas-cli works is correct, then I feel confident the .env file and variables are not part of the Docker Hub image.

Jason
  • 555
  • 6
  • 14

1 Answers1

0

If you use docker-compose for making images ( for some odd reason ) there are 2 ways to pass variables.

Passing them directly into the docker-compose and pointing to the file which contains variables.

In both cases as you said the variables are passed at the runtime. Which means if you use the variable file, the one who runs the container has to have that file on their system and if you pass it directly into the docker compose someone has to pass these variables again when running the docker images. ( They need to pass it along with the docker run command )

Johnny9
  • 436
  • 5
  • 8
  • 1
    It seems like you're saying that the .env file and variables are not part of the image, but I'm not sure I've understood correctly. Are they in the image hosted on Docker Hub? – Jason Jul 17 '21 at 20:49
  • Sorry for replying late, yes that's what I think and wanted to say. The best way to see that in action is to upload a test image to docker hub with test variables in it. When you do that pull the image to your local machine and test to see if the test variables is present or not. That would have been faster instead of waiting for me to reply anyway. – Johnny9 Jul 18 '21 at 12:40
  • I took your advice and did a little testing, but with a twist on your suggestion. It seems that when I "build" is when the "environment_file" portion of the .yml file is applied, using whatever image has been uploaded to Docker Hub. Still, I would like to see somewhere in the docs, or a better reasoned explanation for whether environment files and secrets are present in Docker Hub images. – Jason Jul 19 '21 at 21:58
  • Yeah I understand your concern, when I research a topic I want to see that my problem is described in the docs too. But since for now you can't seem to find any reliable source for your problem I would suggest trusting yourself. You saw from your tests that variables are not present in the image and that should be a go sign. Anyways good luck in future research I hope I helped with anything! – Johnny9 Jul 20 '21 at 06:31