search

jarischaefer / docker-librenms

Docker image for LibreNMS
MIT License
117 stars 38 forks source link

Using Docker secrets from file as variable #98

Closed Nesousx closed 5 years ago

Nesousx commented 5 years ago

Hi,

First of all, thanks for your image. I have been using it daily for months, and it works very well.

Now, I have just switched to Swam and using Portainer as well, and it seems like I can't have your image to read my secrets from the Docker secret.

For example, if I had a secret to hold the DB_PASS, then declare the variable like below in my my "webserver service':

DB_PASS="/run/secrets/librenms-db-user"

Then the frontend won't connect to the DB, since the password in the variable is the path to the password file, but not what it contains.

Please note that the file /run/secrets/librenms-db-user, do contain my real password.

Once again, I am pretty new to Docker swarm / portainer and I might be doing something wrong in the way I declare my variable. However, I read in the official doc that the image "must" be compatible for this to work, cf:

If you develop a container that can be deployed as a service and requires sensitive data, such as a credential, as an environment variable, consider adapting your image to take advantage of Docker secrets. One way to do this is to ensure that each parameter you pass to the image when creating the container can also be read from a file.

I am then wondering, if I am doing something wrong, or if your image is not (yet? ;)) compatible.

Many thanks in advance.

jarischaefer commented 5 years ago

Please try the DB_PASS_FILE variable.

Nesousx commented 5 years ago

Hi again,

This is working, many thanks.

However, would that be possible to have the same functionality for all sensitive information, such as APP_KEY, MYSQL_ROOT_PASSWORD (and maybe others I am missing) ?

This way, I could host my docker-swarm files in a public repo without exposing any sensitive information, and directly feed those files to Portainer (for example).

jarischaefer commented 5 years ago

APP_KEY_FILE is supported in the latest build.

MYSQL_ROOT_PASSWORD is part of the MySQL image and therefore out of scope. The YAMLs are merely examples.

Nesousx commented 5 years ago

Cool, many thanks for updating the new image, and my bad for the mysql's one. I'll check if it is already implemented, if not, I'll go bug them as well. :)

Nesousx commented 5 years ago

Just a little update to let you know that it APP_KEY_FILE works perfectly, and that the mysql official image already support the same feature by adding _FILE at the end of the existing env' variables.

Once again, many thanks to you!