1

We can load random data into a container like this:

vars.env

FOO=123
BAR=abc

docker-compose.yml

my_service:
  image: my_image
  env_file:
    - ./vars.env
  # ...

Is it possible that those environment variables will be logged?

(I'm running the container on linux.)

lonix
  • 14,255
  • 23
  • 85
  • 176
  • I don't think Docker/Compose normally logs them, but it's not _impossible_. Nothing stops the container code from running `env`, and if you can run `docker` commands, you can see a lot of things (and pretty easily root the host). What's your specific need here? – David Maze Jun 17 '23 at 10:50
  • @DavidMaze Yes, and one should also consider that the processes in the container could also log the env vars. My need: I'm looking for a safe way to pass secrets into a container without somehow leaking them. Secrets are no good as I'm not using swarm, and secrets-as-bind-mounts are also no good as they are mounted as root:root and the container I'm using (gitea) runs as non-root so can't access them. I might have to live with the risk (regarding env vars) and be done with it. – lonix Jun 17 '23 at 11:18
  • Traditionally, if you don't believe environment variables can be trusted, the alternative is to pass values as files; in Docker/Compose you'd do this with a bind mount. But it requires support in your application to read the file, and it can be a little harder to inject a dynamic value (like a cloud hostname or an actually-random password). – David Maze Jun 17 '23 at 11:45
  • @DavidMaze Agreed, but as I mentioned above there's another reason, and that's they are mounted as `/run/secrets/FOO` and that file is `root:root` and the app in the container won't be able to read it if it runs as a non-root user. Hence my research into viability of just using env vars (not because I tolerate the risk, but for lack of any better option). – lonix Jun 17 '23 at 14:52

1 Answers1

2

Although I cannot exactly point you to a case where docker (and docker-compose) logs environment variables, I would imagine it's very much likely since docker does not treat environment-variables as secrets. Therefore, if you are concerned about your env variables getting logged, you should use docker secrets instead.

You should be able to find plenty of examples on the internet on how to utilize this Docker feature in docker-compose. Here's the official one for example: https://docs.docker.com/compose/use-secrets/

It's pretty simple to use but in this case, you can be 100% certain that your secret's plaintext values won't appear anywhere.

because_im_batman
  • 975
  • 10
  • 26
  • Agreed, however 1) docker secrets is only for swarm, which I'm not using; for those using swarm it's the perfect solution, and 2) for the secrets-as-mounted file in non-swarm, the files are mounted as root:root which means many (non-root user) containers cannot access them. That's why I am looking into using some other option. Sadly, all are insecure in some way or another. – lonix Jun 17 '23 at 02:29