Docker secrets passing as environment variable

Question

I put the docker in swarm mode and did the following

echo "'admin'" | docker secret create password -
docker service create \
--network="host" \
--secret source=password,target=password \
-e PASSWORD='/run/secrets/password' \
<image>

I was not able to pass the password secret created via environment variable through docker service.

Please help me out where I am going wrong.

Answer 1

You are misunderstanding the concept of docker secrets. The whole point of creating secrets is avoiding putting sensitive information into environment variables.

In your example the PASSWORD environment variable will simply carry the value /run/secrets/password which is a file name and not the password admin.

A valid usacase of docker secrets would be, that your docker-image reads the password from that file. Checkout the docs here especially the example about MySQL:

the environment variables MYSQL_PASSWORD_FILE and MYSQL_ROOT_PASSWORD_FILE to point to the files /run/secrets/mysql_password and /run/secrets/mysql_root_password. The mysql image reads the password strings from those files when initializing the system database for the first time.

In short: your docker image should read the content of the file /run/secrets/password

Answer 2

There is no standard here.

Docker docs discourages using environment variables, but there is confusion whether it is setting password directly as string in "environment" section or other usage of environment variables within container. Also using string instead of secret when same value might be used in multiple services requires checking and changing it in multiple places instead of one secret value.

Some images, like mariadb, is using env variables with _FILE suffix to populate suffixless version of variable with secret file contents. This seems to be ok.

Using Docker should not require to redesign application architecture only to support secrets in files. Most of other orchestration tools, like Kubernetes, supports putting secrets into env variables directly. Nowadays it is rather not considered as bad practice. Docker Swarm simply lacks good pracitces and proper examples for passing secret to env variable.

IMHO best way is to use entrypoint as a "decorator" to prepare environment from secrets.

Proper entrypoint script can be written as almost universal way of processing secrets, because we can pass original image entrypoint as argument to our new entrypoint script so original image "decorator" is doing it's own work after we prepare container with our script.

Personally I am using following entrypoint with images containing /bin/sh: https://github.com/DevilaN/docker-entrypoint-example