frappe / frappe_docker

Docker images for production and development setups of the Frappe framework and ERPNext
MIT License
1.48k stars 1.38k forks source link

Security issue with DB_PASSWORD variable #1471

Closed treasuryesc closed 1 month ago

treasuryesc commented 1 month ago

Is your feature request related to a problem? Please describe. Currently, frappe_docker uses a .env file where we should set the variable DB_PASSWORD in the moment of creating the docker-compose.yaml file (created with docker compose config). The database password is set in this file, which brings security issues.

Describe the solution you'd like The DB_PASSWORD should be set as a variable in docker-compose.yaml instead of using the password directly inside docker-compose.yaml, so we could use a .env located in the same folder of docker-compose.yaml, in order to define the database password only in the .env file and not inside the docker-compose.yaml.

treasuryesc commented 1 month ago

@revant could you please check this? Is there any way to avoid fixing db password inside docker-compose.yaml?

revant commented 1 month ago

created with docker compose config

Use "docker compose up" directly then. You'll not have the generated yaml file with passwords.

treasuryesc commented 1 month ago

created with docker compose config

Use "docker compose up" directly then. You'll not have the generated yaml file with passwords.

Hi @revant I think I wasn't clear on my issue description. The problem happens in the build process of a custom image and a docker-compose.yaml file for this image. When we use "docker compose --env-file .env -f overrides/compose.mariadb.yaml config > docker-compose.yaml" to create the docker-compose.yaml file, the config in overrides/compose.mariadb.yaml takes ${DB_PASSWORD} from the .env and puts on the docker-compose.yaml the DB password. The request is that overrides/compose.mariadb.yaml should keep the variable ${DB_PASSWORD} instead of replacing it when running "docker compose config", so when we run "docker compose up" docker would take the password from the .env and not from docker-compose.yaml

Another possibility could be using docker compose secrets: https://docs.docker.com/compose/how-tos/use-secrets/

revant commented 1 month ago

You can improve and send PR.

I use Kubernetes for my setup, there I've managed db password through kubernetes secrets.