Provide a better way to pass the password to the container

[bladnor]

I don't like setting the password with an environment variable because environment variables can be viewed with 'docker inspect'. Can you provide a way to pass the password by mounting a file to the container and read the password from that file?

For example something like this:
$cat secret
export POSTGRES_PASSWORD=mysecretpostgrespassword
$ sudo docker run -v $(pwd):/tmp --name some-postgres -d postgres

and then in docker-entrypoint.sh read/source the password from /tmp/secret .

Thank you

PS:
I tried to do something like this:
$sudo docker run -v $(pwd):/tmp --entrypoint /bin/bash --name some-postgres -d postgres "source /tmp/secret >> docker-entrypoint.sh"

but this resulted in:
/bin/bash: source /tmp/secret >> docker-entrypoint.sh: No such file or directory

[jdmarshall]

I'm having the same concern.

Unfortunately in researching it I think I have learned that this issue was formally identified in Docker itself back in May of last year and is still not a solved problem.

[mmarzantowicz]

Allowing malicious users to run docker inspect (or generally docker ...) command is already a security breach so there is no gain in hiding password form environment other than over-engineering.

PostgreSQL supports GSSAPI and Kerberos authentication which can be used if you really need more complex access management.

[tianon]

I think it would be worthwhile to add a note to the documentation for POSTGRES_PASSWORD pointing out that users concerned about security ought to change this initial password after the database is initialized, perhaps with a short example of the easiest/quickest way to do so.

[jdmarshall]

There are other applications besides Postgres that need credentials.

Postgres is sort of a touchy subject from a Docker standpoint anyway. The combined awkwardness of the data volume solution, lazy initialization of the database which ensues, avoiding nuking your data, especially in dev and integration, race conditions caused by this with docker-compose and a handful of others that I'm forgetting...

I ended up creating my own initialization scripts which I ran offline that would spool up just psql, initialize the database, create my users (read and read-write), change the default password and optionally import a database backup, which I run separately from my code-build-test and build-deploy-test cycles. (this was a godsend when it came time to test migration scripts)

[tianon]

I think #225 should be helpful here.

[phs]

TL;DR If you are using a swarm:

version: "3.1"
services:

  database:
    image: postgres:9.6
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
    secrets:
      - postgres_password

secrets:
  postgres_password:
    external: true

[tianon]

Ah, thanks for the prod (and the example config), @phs! I'm going to close since this was implemented in #225 with the _FILE environment variables. 👍

[shadiakiki1986]

@phs example works without swarm too in docker-compose.yml, e.g.

secrets:
  postgres_password:
    file: ./docker_postgres_password