1

I had browsed through a lot of related posts but still didn’t resolve this issue. I am quite new to Docker so sorry if this is repeated. So for my project, I have a shell script named vault-until.sh, which getting secrets from Vault and exported those secrets. Like ‘export DB_Password_Auto=(Some Vault operations)’ What I want to achieve is to copy this file to the docker container and source this file in the Dockerfile. So that those secrets can be accessed as environment variables inside the container. The code I have right now inside Dockerfile is:

COPY vault-until.sh /build
RUN Chmod -x /build/vault-until.sh
RUN /bin/sh -c “source /build/vault-util.sh”

After I log in to the container through “docker -exec -it -u build container-name /bin/bash” the environment var is still empty. It shows only after I type the source command again in the cli. So I am wondering is this mechanism of access vault secret as env vat actually plausible? If so, what I need to modify in the Dockerfile to make this work? Thank you!

Daniel Widdis
  • 8,424
  • 13
  • 41
  • 63
Wu Qintian
  • 11
  • 4
  • You are running your container with a different shell than the one you sourced the file with. Use `RUN /bin/bash -c "source /build/vault-util.sh"` to have the same shell than the one you run your container with. – β.εηοιτ.βε Apr 15 '22 at 22:16
  • @β.εηοιτ.βε Thanks for your reply! I also tried /bin/bash and doesn’t work. – Wu Qintian Apr 15 '22 at 23:41
  • For reference, tried most of the approach under this post https://stackoverflow.com/questions/20635472/using-the-run-instruction-in-a-dockerfile-with-source-does-not-work – Wu Qintian Apr 15 '22 at 23:57

1 Answers1

2

If you have a script that gets secrets from Vault, you probably need to re-run it every time the container starts. You don't want to compromise the secrets by putting them in a Docker image where they can be easily extracted, and you don't want an old version of a credential "baked into" an image if it changes in Vault.

You can use an entrypoint wrapper script to run this when the container starts up. This is a script you set as the container ENTRYPOINT; it does first-time setup like setting dynamic environment variables and then runs whatever is the container CMD.

#!/bin/sh
# entrypoint.sh

# Get a set of credentials from Vault.
. /build/vault-util.sh

# Run the main container command.
exec "$@"

In your Dockerfile, you need to make sure you COPY this in and set it as the ENTRYPOINT, but you don't need to immediately RUN it.

COPY vault-util.sh entrypoint.sh /build
ENTRYPOINT ["/build/entrypoint.sh"] # must be JSON-array syntax
CMD same command as originally

You won't be able to see the secrets with tools like docker inspect (this is good!). But if you want to you can run a test container to dump out the results of this setup. For example,

docker run --rm ... your-image env

replaces the Dockerfile's CMD with env, which prints out the environment and exits. This gets passed as arguments to the entrypoint, so first it runs the script to fetch environment variables and then runs env and then exits.

David Maze
  • 130,717
  • 29
  • 175
  • 215
  • 1
    (`source` isn't a standard shell command, and the environment is reset after every `RUN` command, so `RUN source` is highly unlikely to work; also see [Using the RUN instruction in a Dockerfile with 'source' does not work](https://stackoverflow.com/questions/20635472/using-the-run-instruction-in-a-dockerfile-with-source-does-not-work).) – David Maze Apr 16 '22 at 00:38
  • Thank you so much for your detailed reply! Following your solution, I am able to see the secrets in the environments with the docker run command. But if I try to log in to the container with docker exec command, the secret is not listed in the environments. Could you please advise on this issues? Thank you in advance! – Wu Qintian Apr 16 '22 at 15:05