Home > Net >  Secrets are not available in Docker container
Secrets are not available in Docker container

Time:12-11

I create secret "databasePassword" using the below command:

echo 123456 | docker secret create databasePassword -

Below is my yml file to create the MySQL and phpMyAdmin where I'm trying to use this secret in the yml file.

version: '3.1'

services:

  db:
    image: mysql
    command: --default-authentication-plugin=mysql_native_password
    restart: unless-stopped
    container_name: db-mysql
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: 'false'
      MYSQL_ROOT_PASSWORD: /run/secrets/databasePassword
    ports:
      - 3306:3306
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
      timeout: 20s
      retries: 10
    secrets:
      - databasePassword

  beyond-phpmyadmin:
    image: phpmyadmin
    restart: unless-stopped
    container_name: beyond-phpmyadmin
    environment:
      PMA_HOST: db-mysql
      PMA_PORT: 3306
      PMA_ARBITRARY: 1
    links:
      - db
    ports:
      - 8081:80

But the databasePassword is not getting set as 123456. It is set as the string "/run/secrets/databasePassword" I tried using docker stack deploy also, but it also didn't work.

I tried setting the secrets at the end of the file like below by some web research, but it also didn't work.

version: '3.1'

services:

  db:
    image: mysql
    command: --default-authentication-plugin=mysql_native_password
    restart: unless-stopped
    container_name: db-mysql
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: 'false'
      MYSQL_ROOT_PASSWORD: /run/secrets/databasePassword
    ports:
      - 3306:3306
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
      timeout: 20s
      retries: 10
    secrets:
      - databasePassword

  beyond-phpmyadmin:
    image: phpmyadmin
    restart: unless-stopped
    container_name: beyond-phpmyadmin
    environment:
      PMA_HOST: db-mysql
      PMA_PORT: 3306
      PMA_ARBITRARY: 1
    links:
      - db
    ports:
      - 8081:80
secrets:
  databasePassword:
    external: true

CodePudding user response:

Docker cannot know that /run/secrets/databasePassword is not a literal value of the MYSQL_ROOT_PASSWORD variable, but a path to a file that you would like to read the secret from. That's not how secrets work. They are simply available in a /run/secrets/<secret-name> file inside the container. To use a secret, your container needs to read it from the file.

Fortunatelly for you, the mysql image knows how to do it. Simply use MYSQL_ROOT_PASSWORD_FILE instead of MYSQL_ROOT_PASSWORD:

services:
  db:
    image: mysql
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: 'false'
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/databasePassword
    secrets:
      - databasePassword

...

secrets:
  databasePassword:
    external: true

See "Docker Secrets" in the mysql image documentation.

  • Related