I am having a docker application which is running a python flask rest api.
I would like the user to input (getpass()
) the database password instead of having it in any open readable config file.
Since I am also using docker network to resolve the dns names I would like to use docker compose up
instead of docker compose run
. Because run always creates new containers which is intefering my name resolution.
This is the docker compose file (illustrating just the effected service):
version: '3.4'
services:
rest-api:
image: rest_api:latest
container_name: rest_api
tty: true
stdin_open: true
ports:
- 5000:5000
networks:
- mynetwork
networks:
mynetwork:
name: any_network
When starting the service with docker compose up
it is just waiting without getting the prompt and the terminal does not react to any input by the user.
docker compose up CLI
With docker compose run
the input field is working properly but name resoultion is not working anymore since a new container name is created.
docker compose run CLI with user prompt
What would you recommend to overcome this issue?
- Shall I define static IP addresses in the compose file for all my services?
- Can I have an encrypted config file to store the password? But I actually dont want any hardcoded passwords to open the config.
- I know that the
run
command brings somehow its own terminal settings. Can I havecompose up
behave in the same way? What settings may I need to add to the compose file then? - Shall I simply remove the containers after stopping them and always start
compose run
with--name
in it to ensure the container naming? But then I would need to start all my services separately instead of just using thecompose up
command to start all at once. As I remember the run command also needs the port expose parameter since it is not read from the compose file,right?
Many thanks for any advice!
CodePudding user response:
You can try using docker secrets as mentioned in the official documentation.
If you don't want to define the secret in the docker-compose file, then you can manually create it beforehand using docker secret create
command.
Example: echo "DBPASS" | docker secret create db_pass -
CodePudding user response:
You should absolutely use docker-compose up
to start your containers. run
is intended for "one-off" containers with configuration inspired by your Compose file. You might use it to run migrations, for example, but not your main service.
Compose never interacts with its input in any meaningful way; your proposal to interactively request a password and then run in the background isn't something Compose can do. One useful approach can be to put the credential in an environment variable, like
services:
rest-api:
environment:
- DATABASE_PASSWORD # with no value
and then provide that password when you start the container stack
DATABASE_PASSWORD=passw0rd docker-compose up -d
(Completely ignore the container-private IP addresses. You never need to know or manually specify them.)