For example I have a docker compose stack with a service and a db.
How do you handle the passwords? Is it better to store them in a .env file or is there something different entirely?

Also do the passwords have to be strong if the db is only available to the service through the docker network?

  • derpgon
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    For services that don’t support file secrets, it’s possible to assign them to ENV variables and export them before app bootstrap (so pre-entrypoint of sorts) and build a custom docker image. That’s what I did for GL runner.

    Create your own entrypoint file. Read secret path from an ENV. Read file and assign to an ENV. The ENV containing the secret valie is not visible from the outside. If the service does not support ENV variable secret (like aforementioned GL runner) then it’s possible to use the env in a config file and an envsubst in the same entrypoint

    • object_Object
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      If the value is still passed as an environment variable in the end, it can be read via /proc/:pid/environ from another container or from the host if they are both using the same UID (or has --cap-add SYS_PTRACE)

      • derpgon
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Oh, didn’t think about that. Well, at least it works.