search

alexjustesen / speedtest-tracker

Speedtest Tracker is a self-hosted internet performance tracking application that runs speedtest checks against Ookla's Speedtest service.
https://speedtest-tracker.dev/
MIT License
2.45k stars 89 forks source link

Docker secrets don't appear to work #1537

Closed kuya1284 closed 1 week ago

kuya1284 commented 2 weeks ago

Describe the bug According to the LSIO documentation on Docker Secrets, we should be able to use FILE__DB_PASSWORD in our Docker Compose file so that we won't have to put our database password in plain text either in compose.yaml or .env. That doesn't appear to work and produces an Access denied for user error.

EDIT - 6/18/2024: The issue is due to the contents of the secret file not being trimmed of white-space. If the file contains a new line character, which gets added automatically when saving the file using an editor like vi, the password that gets used when attempting to authenticate with a database will contain that new line character.

To Reproduce Steps to reproduce the behavior:

  1. Follow the How to use secrets in Docker Compose guide to create the file that will contain the database password.
  2. Using the same guide, add the appropriate sections and attributes to the Docker Compose file.
  3. Replace DB_PASSWORD with FILE__DB_PASSWORD per the LSIO documentation.
  4. Start the stack
  5. Access denied for user errors will appear on the console

Expected behavior The Speedtest Tracker stack should start up normally and without errors.

Environment

kuya1284 commented 2 weeks ago

I noticed that the LSIO approach is different from other approaches, which is to use the format FILE__MYVAR instead of MYVAR__FILE. I did try both styles, but that didn't seem to make a difference.

So instead of being able to use either FILE__DB_PASSWORD or DB_PASSWORD__FILE, I have to continue using DB_PASSWORD unfortunately.

EDIT: Is it possible that the LSIO just needs to remove the Environment variables from files (Docker secrets) section from their documentation? Was that an oversight?

kuya1284 commented 2 weeks ago

I also noticed that #1041 had been closed but I haven't been able to get Docker Secrets to work like with other images that I have in my homelab.

svenvg93 commented 2 weeks ago

I don't have a problem using secrets when trying it with postgressDB for the password. Can you share your compose file?

services:
    speedtest-tracker:
        image: lscr.io/linuxserver/speedtest-tracker:0.20.6
        container_name: speedtest-tracker
        restart: unless-stopped
        environment:
            - TZ=Europe/Amsterdam 
            - APP_TIMEZONE=Europe/Amsterdam 
            - DISPLAY_TIMEZONE=Europe/Amsterdam
            - APP_DEBUG=true
            - PUID=1000
            - PGID=1000
            - DB_CONNECTION=pgsql
            - DB_HOST=speedtest-tracker-db
            - DB_PORT=5432
            - DB_DATABASE=${POSTGRES_DB}
            - DB_USERNAME=${POSTGRES_USER}
            - FILE__DB_PASSWORD=/run/secrets/db_pass
            - APP_KEY=${APP_KEY}
            - SPEEDTEST_SCHEDULE=6 */2 * * *
            - SPEEDTEST_SERVERS=52365
            - PRUNE_RESULTS_OLDER_THAN=0
            - DATETIME_FORMAT="j M Y, G:i:s"
            - CHART_DATETIME_FORMAT="j/m G:i"
        secrets:
            - db_pass
        volumes:
            - speedtest-tracker:/config
        networks:
            - backend
        ports:
            - 8084:80
        depends_on:
            - speedtest-tracker-db

    speedtest-tracker-db--sectres:
        image: postgres:15
        container_name: speedtest-tracker-db
        restart: unless-stopped
        environment:
            - POSTGRES_DB=${POSTGRES_DB}
            - POSTGRES_USER=${POSTGRES_USER}
            - POSTGRES_PASSWORD_FILE:=/run/secrets/db_pass
        secrets:
            - db_pass
        volumes:
            - speedtest-tracker-db:/var/lib/postgresql/data
        networks:
            - backend

volumes:
  speedtest-tracker:
    name: speedtest-tracker
  speedtest-tracker-db:
    name: speedtest-tracker-db

networks:
  backend:
    name: backend

secrets:
  db_pass:
    file: ./db_pass.txt
kuya1284 commented 1 week ago

@svenvg93 , thank you for sharing. I figured out what the problem was. The issue was similar to what I experienced with the Maxmind geoipupdate image. The file containing my secret contained a new line character at the end, which wasn't getting trimmed. Images like MariaDB trims the file to eliminate the whitespace.

As an interim solution, I resaved the file without the new line character and I'm now able to leverage FILE__DB_PASSWORD.

Thanks for helping to lead me in the right direction.

svenvg93 commented 1 week ago

Glad to hear you where able to figure it out :) If the problem is solved please close the issue :)

kuya1284 commented 1 week ago

@svenvg93 I don't think the problem is solved yet. The secret should be trimmed after being read from the file. Many images are built to do that.

Thanks!

alexjustesen commented 1 week ago

I would post it to the LSIO repo as that's an image issue not an app issue. I'm going to close this but feel free to reference it for them.

kuya1284 commented 1 week ago

For anyone who may come across this, I just created this in the LSIO repo:

https://github.com/linuxserver/docker-speedtest-tracker/issues/23