TechQA.

Docker: replace file contents with secret in docker-compose

1.1k views Asked by At

I'm trying to setup a database with a schema and some users, using docker and docker-compose. The users are system-users for a web-application, and it needs a password for security. In order to do so, I thought I could simply replace a template-value in the file with the value from the secret. This does not work, however.

What is the correct way to replace a file's contents with the value from the secret?

Dockerfile

FROM postgres:12.4
EXPOSE 5432
COPY 00_users.sql /docker-entrypoint-initdb.d/
COPY 01_schema.sql /docker-entrypoint-initdb.d/

RUN sed -i "s/__SECRETPASSWORD__/$(cat /run/secrets/postgres-secret)/g" /docker-entrypoint-initdb.d/00_users.sql

docker-compose

version: '3.1'
services:
  my-db:
    build: ./my-db
    container_name: my-postgres
    volumes:
      - ntool-data:/var/lib/postgresql/data
    ports:
      - 5432:5432
    environment:
      - POSTGRES_DB=mydb
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres-passwd
    secrets:
      - postgres-passwd
      - postgres-secret


secrets:
  postgres-passwd:
    file: postgres-passwd.txt
  postgres-secret:
    file: postgres-secret.txt

The output is:

Step 5/5 : RUN sed -i "s/__VCNTOOLPASSWORD__/$(cat /run/secrets/postgres-secret)/g" /docker-entrypoint-initdb.d/00_users.sql
 ---> Running in 012dd81c830b
cat: /run/secrets/postgres-secret: No such file or directory
docker templates docker-compose docker-secrets
Original Q&A
2

There are 2 answers

0
Rob Audenaerde On

I ended up creating this 00_users.sh script and putting it in the /docker-entrypoint-initdb.d/

Dockerfile

 FROM postgres:12.4
 EXPOSE 5432
 COPY 00_users.sh /docker-entrypoint-initdb.d/

Content:

#!/bin/bash
set -e

MYPASS=$(cat /run/secrets/postgres-secret)


psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
  CREATE USER secretuser SUPERUSER ;
  ALTER USER secretuser WITH PASSWORD '${MYPASS}';

EOSQL
1
Marc0 On

I had a similar problem and solved it with docker build secrets:

WORKDIR /etc/icinga2/conf.d
COPY icinga2/api-users.conf .
RUN --mount=type=secret,required=true,id=ICINGA_API_ROOT_PASSWORD \
    ICINGA_API_ROOT_PASSWORD=$(cat /run/secrets/ICINGA_API_ROOT_PASSWORD) \
    sed --regexp-extended --in-place "s/\<ICINGA_API_ROOT_PASSWORD\>/$(cat /run/secrets/ICINGA_API_ROOT_PASSWORD)/" api-users.conf

I still don't know if it is elegant enough because there is repeated code but it works. If I understand the documentation correctly one always has to mount the secret to use it.

Related Questions in DOCKER

Related Questions in TEMPLATES

Related Questions in DOCKER-COMPOSE

Related Questions in DOCKER-SECRETS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions