How to set environment variables in Dockerfile via Azure DevOps

Question

In my projects Docker file I have some environment variables, like this:

ENV ACCEPT_EULA=Y
ENV SA_PASSWORD=Password
ENV MSSQL_PID=Developer
ENV MSSQL_TCP_PORT=1433 

And I would like to pass the password here as an environment variable set in my pipeline.

In Azure DevOps I have two pipelines. One for building the solution and one for building and pushing docker images to DockerHub. There are options to set variables in both these pipelines: I have set the password in both pipelines and edited my password in the Dockerfile to look like this:

ENV SA_PASSWORD=$(SA_PASSWORD)

But that does not seem to be working. What is the correct way of passing environment variables from Azure DevOps into a Docker image?

Also, is this a safe way of passing secrets? Is there any way someone could read secrets from a Docker image?

Thanks!

Answer 1

You can set an ARG var_name and reference ENV to the ARG variables. Then you can replace those variables when docker build the image $ docker build --build-arg var_name=$(VARIABLE_NAME)

For example the add ARG in dockerfile, and have the ENV variable refer to it:

ARG SECRET
ENV ACCEPT_EULA=Y
ENV SA_PASSWORD=$SECRET
ENV MSSQL_PID=Developer
ENV MSSQL_TCP_PORT=1433 

You can use dock build task and dock push task separately, as buildandpush command cannot accept arguments. And set a variable SECRET in your pipeline.

The set the Build Arguments SECRET= $(SECRET) to replace the ARG SECRET

You can also refer to a similar thread.

Answer 2

I am using the Replace Tokens extension for exactly tasks like this: https://marketplace.visualstudio.com/items?itemName=qetza.replacetokens

However, putting secrets into your Dockerfile might not be the best idea. Usually you would provide secrets or generally runtime configuration as environment variables when you actually execute the container.