Support Docker secrets

[jbergstroem]

Secrets (docker secret) is a safer way to pass sensitive information to a container that avoids environment variables and instead mounts a secret as a file in the container filesystem.

This approach is growing popularity and should be supported for all sensitive data (password comes to mind).

[jbergstroem]

Thinking swarm is on the way out. Closing.

[polarathene]

@jbergstroem you do not need swarm to use secrets (although it does link to swarm docs saying it's a swarm only feature, I do not use swarm personally). It is part of the Compose specification now AFAIK.

The docs have an example of a docker-compose config using it with no swarm features.

---

I've been using them recently for a few containers that have explicit support mentioned:

• phpmyadmin/phpmyadmin will assign a secret value during runtime when using supported ENV vars with a _FILE suffix.
• linuxserver/mariadb appears to do the same but uses a FILE__ prefix instead.

[jbergstroem]

@polarathene I went ahead and implemented it. Do you think the current approach is good or are there potential benefits with passing a file path? I felt this was easier and less confusing (especially in the context of which approach has precedence).

Edit: gonna move forward. Feel free to try it out (will push new tags) and leave feedback! Thanks for pointing out that swarm isn't necessary.

[polarathene]

Do you think the current approach is good or are there potential benefits with passing a file path?

I don't have enough experience with secrets to provide feedback on that unfortunately. I've just noticed the two cited images adopted a variant pattern of using a prefix / suffix from the ENV name with the secrets path as value.

Your approach seems like a nicer UX, I'm not aware of any drawbacks from with that approach.

---

I felt this was easier and less confusing (especially in the context of which approach has precedence)

:+1:

Precedence wasn't a concern to me as a user as I just chose one or the other. It was a bit confusing seeing this approach you chose where it diverges from what the other images did and checks the ENV existing in /run/secrets instead implicitly, but having seen that in the PR diff clarified what magic was going on behind the scenes :)

---

Feel free to try it out (will push new tags) and leave feedback! Thanks for pointing out that swarm isn't necessary.

Cheers for such a speedy implementation!

[polarathene]

Regarding the implementation, it may be worth deciding if you should continue with your approach or adopt what might be a convention elsewhere with the suffix?

The official MySQL image uses the ENV _FILE suffix with filepath, as does the official MariaDB image. I suspect that the official images all living in that same repo maintain that convention and it might be a valid reference to follow? :man_shrugging:

That said looking at git blame on those README files, it looks like these were documented in April 2017 and October 2017 (various DB related images). Neither commit had a PR to reference or useful commit message for context though, probably only intended for Swarm at the time.

[jbergstroem]

Regarding the implementation, it may be worth deciding if you should continue with your approach or adopt what might be a convention elsewhere with the suffix?

I had a read through both of the implementations. To me, it seems like they had _FILE as a delivery mechanism over ENV, then just reused that for the secret interface.

One of the goals while building this container is to stay close to both of those implementations and consider what features to keep while balancing container size. Embedding a mysql client and using busybox sh over bash to run scripts are two good examples of where sacrifices so far were made. This feature doesn't add to container size so its not going to be a hill to die on, but I don't see the benefit of a custom path. I would say it solves a different problem than secrets.

I think if others asks to implement _FILE for passing other data with interesting use-cases I'm happy to reconsider. Does that make sense?

[polarathene]

I think if others asks to implement _FILE for passing other data with interesting use-cases I'm happy to reconsider. Does that make sense?

Perfectly fine :)