Best practice for docker compose passwords? (lemmy.zip)

submitted 11 months ago by hyper@lemmy.zip to c/docker@programming.dev

7 comments fedilink hide all child comments

For example I have a docker compose stack with a service and a db.
How do you handle the passwords? Is it better to store them in a .env file or is there something different entirely?

Also do the passwords have to be strong if the db is only available to the service through the docker network?

top 7 comments

sorted by: hot top controversial new old

[-] jormaig@programming.dev 12 points 11 months ago

Docker has a secrets feature where you can mount a file containing a password into the container. It is not recommended to use environment variables because anyone outside the container can read the environment variables of a process. Then, the idea is that your service should support reading the secret from a file. Most services support it and if they don't you should open an issue because that's the current accepted practice

[-] derpgon@programming.dev 2 points 11 months ago

For services that don't support file secrets, it's possible to assign them to ENV variables and export them before app bootstrap (so pre-entrypoint of sorts) and build a custom docker image. That's what I did for GL runner.

Create your own entrypoint file. Read secret path from an ENV. Read file and assign to an ENV. The ENV containing the secret valie is not visible from the outside. If the service does not support ENV variable secret (like aforementioned GL runner) then it's possible to use the env in a config file and an envsubst in the same entrypoint

[-] object_Object@programming.dev 2 points 11 months ago* (last edited 11 months ago)

If the value is still passed as an environment variable in the end, it can be read via /proc/:pid/environ from another container or from the host if they are both using the same UID (or has --cap-add SYS_PTRACE)

[-] derpgon@programming.dev 1 points 11 months ago

Oh, didn't think about that. Well, at least it works.

[-] xrun_detected@programming.dev 5 points 11 months ago* (last edited 11 months ago)

regarding docker secrets: what @jormaig@programming.dev said, examples for doing this are here: https://docs.docker.com/compose/use-secrets/

regarding passwords: maybe you don't "have to", but if i'd argue it's important to build a habit of never using weak passwords anywhere. using strong passwords shouldn't be/feel like an extra step but part of the normal workflow.

[-] towerful@beehaw.org 5 points 11 months ago

For passwords in software chains, I always think of them as API keys. So, making them 32 or 64 character random strings doesn't seem ridiculous.

[-] lcb@lemmy.ml 1 points 10 months ago

Well my concern is not at home, my problem is with vps, pwd for database,api keys.. I have no idea how to approach this problem. I know that a good sysadmin can get everyting but at least i want to be more safe against average admins. For me the "trust" it is something over rated.

this post was submitted on 14 Aug 2023

19 points (95.2% liked)

Docker

966 readers

1 users here now

founded 1 year ago

MODERATORS

erlingur@programming.dev

ProgramPhoenix@programming.dev

Ategon@programming.dev