[Other] Docker secrets support / _FILE environment variables #1236

KillerTic · 2021-08-16T17:31:35Z

Hi,
I have notices an issue with using _FILE environment variables / docker secrets.
I have all my passwords, keys, etc. stored in files, name them in my docker-compose as secrets, give the container access to the needed secrets and then pass them to the environment variable.

For this you usually just append _FILE to any environment variable. For example:
defined secret in the docker-compose:

secrets:
  paperless_db_passwd_secret:
    file: $DOCKERDIR/secrets/paperless_db_passwd_secret
  paperless_secrets_key_secret:
    file: $DOCKERDIR/secrets/paperless_secrets_key_secret

in the service for paperless-ng:

environment:
      PAPERLESS_DBPASS_FILE: /run/secrets/paperless_db_passwd_secret
      PAPERLESS_SECRET_KEY_FILE: /run/secrets/paperless_secrets_key_secret
secrets:
      - paperless_db_passwd_secret
      - paperless_secrets_key_secret

This does not work with this image (and one other I use). I guess it has to be configured, that it can be used?

The text was updated successfully, but these errors were encountered:

KillerTic · 2021-08-21T06:59:51Z

I had a further look around and it looks like, that secrets and the *_FILE extenstion to environment variables need to be handled in the docker-entrypoint.sh.

Here is an example from the official MYSQL docker image:

file_env() {
    local var="$1"
    local fileVar="${var}_FILE"
    local def="${2:-}"
    if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
	    mysql_error "Both $var and $fileVar are set (but are exclusive)"
    fi
    local val="$def"
    if [ "${!var:-}" ]; then
	    val="${!var}"
    elif [ "${!fileVar:-}" ]; then
	    val="$(< "${!fileVar}")"
    fi
    export "$var"="$val"
    unset "$fileVar"
}

docker_setup_env() {
    # Get config
    declare -g DATADIR SOCKET
    DATADIR="$(mysql_get_config 'datadir' "$@")"
    SOCKET="$(mysql_get_config 'socket' "$@")"

    # Initialize values that might be stored in a file
    file_env 'MYSQL_ROOT_HOST' '%'
    file_env 'MYSQL_DATABASE'
    file_env 'MYSQL_USER'
    file_env 'MYSQL_PASSWORD'
    file_env 'MYSQL_ROOT_PASSWORD'

    declare -g DATABASE_ALREADY_EXISTS
    if [ -d "$DATADIR/mysql" ]; then
	    DATABASE_ALREADY_EXISTS='true'
    fi
}

marcogiorgio mentioned this issue Apr 2, 2022

[Other] Support for docker secrets paperless-ngx/paperless-ngx#613

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Other] Docker secrets support / _FILE environment variables #1236

[Other] Docker secrets support / _FILE environment variables #1236

KillerTic commented Aug 16, 2021 •

edited

KillerTic commented Aug 21, 2021 •

edited

[Other] Docker secrets support / _FILE environment variables #1236

[Other] Docker secrets support / _FILE environment variables #1236

Comments

KillerTic commented Aug 16, 2021 • edited

KillerTic commented Aug 21, 2021 • edited

KillerTic commented Aug 16, 2021 •

edited

KillerTic commented Aug 21, 2021 •

edited