Closed thib3113 closed 3 years ago
Hello.
We have no plans to support docker secret.
The main content of docker-compose.yml
will remain largely unchanged, only the annotated environment variables will be added. I don't think it would be a problem to write environment variables directly in docker-compose.yml
.
But if you want, you can add a new .env
file in the docker-compose.yml
sibling directory and put the environment variables there, because docker-compse
will automatically read the .env
file in the current directory.
Hope this helps!
In fact, because I use a swarm mode, and portainer to manage it, I can't directly use your docker-compose.yml, and can't use .env to get environnements variables . ( and I need to use docker swarm
, and not docker compose
compose formats, with some specifications, like the secrets only available for swarm )
In general, repos act like this :
PASSWORD
with suffix FILE
), and then read the value for password in the file ( example images done by linuxservers )read a config file / or a .env in the container . And so, with docker secrets I can map the secret to this file, and my passwords are less easy to read . ( example : bitwardenrs )
Else, the most secure think, seems to let default password, because it's not easy readable on the container summary (and not stored in the yaml of portainer), and need to do some search on github .
Hey @thib3113,
thanks for your ideas!
Suggesion: Do you want to create a PR containing the the ZIP_PASSWORD_FILE
environment variable which overrides ZIP_PASSWORD
?
hey @mustaphazorgati , else I found this :
https://gist.github.com/judy2k/7656bfe3b322d669ef75364a46327836
So people can create a .env mapped in the container, and the include.sh
file will parse it (if exist), and will use this vars ? ( for docker swarm, we can create docker configs, or docker secrets, to map multiples env in one time ) .
I doesn't know what did you prefer ? ( else, I think the MAIL_SMTP_VARIABLES, also need to be managed, because can contain credentials )
hey @thib3113 ,
I checked the portainer documentation and found that I can use docker-compose.yml
with stacks, can you give it a try?
hey @thib3113 ,
I checked the portainer documentation and found that I can use
docker-compose.yml
with stacks, can you give it a try?
no, it just support the "swarm way" of docker-compose . docker stack deploy -c docker-compose.yml
. But doesn't support adding an .env file . I need to add env manually, and finally they are easyly readable on the container .
hey @thib3113 , I checked the portainer documentation and found that I can use
docker-compose.yml
with stacks, can you give it a try? https://documentation.portainer.io/v2.0/stacks/create/no, it just support the "swarm way" of docker-compose .
docker stack deploy -c docker-compose.yml
. But doesn't support adding an .env file . I need to add env manually, and finally they are easyly readable on the container .
Sorry I haven't used docker swarm, but if it says it supports docker-compose.yml
, then why can't you just put the environment variables in docker-compose.yml
?
I can put the environment variables in the yaml of the stack (or docker-compose.yml if you prefer, but some little things doesn't works in the same way) .... But your password are readable ...
And thats why docker swarm add "secrets", to hide this kind of informations .
And as I said before, I prefer to let default password instead of adding it in the docker compose.yml . Because it's more secure (people need to find the github documentation, instead of reading environments variables of the container) .
Hey @thib3113,
I have created a PR which allows the user to access a secret. Here is an example creation call without any other parameters.
docker service create --name backup --secret zip_password --env ZIP_PASSWORD_SECRET=zip_password ttionya/bitwardenrs-backup:latest
We now have to wait for @ttionya to approve the changes and release a new version for you.
hey, @thib3113 ,
I understand roughly what you want, you don't want to pass in the configuration via environment variables for security reasons, but prefer to introduce the configuration via docker config
or docker secret
(when using docker swarm
). Am I misunderstanding?
One more question, we sync backup files to remote storage system via Rclone
, we need to configure Rclone information via docker run repo rclone config
, I wonder if docker swarm can do it simply? I am equally concerned about the possible restore operations.
@ttionya yes . ( and I know some people prefer to bind a file in the container, instead of passing env ) .
About the docker run repo rclone config
, on my configuration, I've just run the command to generate the rclone.conf the first time, then I create a docker configs
and I set tot push the config in rclone.conf ...
my "compose" is like that :
version: "3.7"
services:
backup:
image: ttionya/bitwardenrs-backup:latest
volumes:
- bitwarden_data:/bitwarden/data
secrets:
- source: BITWARDEN_RCLONE_CONFIG
target: /config/rclone/rclone.conf
environment:
RCLONE_REMOTE_NAME: my_ftp
RCLONE_REMOTE_DIR: /bitwarden
BACKUP_KEEP_DAYS: 30
TIMEZONE: Europe/Paris
secrets:
BITWARDEN_RCLONE_CONFIG:
external: true
what are your concerns about restore ?
@mustaphazorgati thank you, but I prefer to talk about this before doing a pull request :) . ( and just some remarks, in general people add a var with __FILE so people can bind the file where they want, and not only on docker secrets folders . Other things, what about MAIL_SMTP_VARIABLES
? because it will contain password too if the SMTP need authentication ) . ( docker use it for basics images, like mysql : https://hub.docker.com/_/mysql the password can be set with MYSQL_ROOT_PASSWORD_FILE
)
hey @thib3113 , @mustaphazorgati ,
Before I said I didn't plan to support Docker Secret because I hadn't used Docker Swarm. Now I think I have some knowledge about Docker Swarm, Docker Secret and Docker Config and I have changed my mind.
To satisfy some people who would like to use env files or use docker secret
to hide credentials, I modified the script and it will now read the config from the /.env
file.
Now you can use docker config
or map the local env file to /.env
. If you need to use Docker Secret, you can also add the environment variable ZIP_PASSWORD_FILE=/run/secrets/zip-password
or put it in the env file.
This change #16 has not been merged into master
yet, as I don't know if there are any scenarios I haven't considered, so please review the code and give feedback when you have time.
Thanks!
Hey @ttionya than you . And no problem about configs / secrets, they exists "only" on docker swarm, so if you never try, you doesn't knwow .
About the changes, thats seems fine, but I can't test before the image is push to a repository ( docker swarm doesn't allow the build
in the yaml )
Hey @ttionya!
Thanks for the PR. I suggested some minor comments. Overall it looks good! :)
@thib3113 thanks for the suggestion / idea contribution
hey @thib3113 @mustaphazorgati ,
I merged the PR #16 and released the beta version v1.6.0-beta.2
, I simply tested the .env
file (not via Docker Swarm) and it works fine.
I don't know how it actually works in Docker Swarm with Docker Secret and Docker Config. Could you please test it for me? Looking forward to your feedback. Thank you.
Alright. I will test the image with docker swarm and a secret file for ZIP_PASSWORD
later tonight
Setting ZIP_PASSWORD_FILE
using docker swarm and secrets works fine for me.
tested for me, and it's good too :) . Thank you :)
Hey @thib3113 @mustaphazorgati ,
This change is already in stable v1.6.0, please let me know if you have any questions.
Hello,
can I set environment variables, without writing them directly at env ?
like creating a .env file ? or using docker secrets ?