Hide/obfuscate environmental parameters in docker

Question

Hide/obfuscate environmental parameters in docker

7.2k Views Asked by Sergei Rodionov At 19 October 2024 at 19:37

I'm using the mysql image as an example, but the question is generic.

The password used to launch mysqld in docker is not visible in docker ps however it's visible in docker inspect:

sudo docker run --name mysql-5.7.7 -e MYSQL_ROOT_PASSWORD=12345 -d mysql:5.7.7

CONTAINER ID        IMAGE               COMMAND                   CREATED             STATUS              PORTS               NAMES
b98afde2fab7        mysql:5.7.7         "/entrypoint.sh mysq   6 seconds ago       Up 5 seconds        3306/tcp            mysql-5.7.7

sudo docker inspect b98afde2fab75ca433c46ba504759c4826fa7ffcbe09c44307c0538007499e2a

"Env": [
        "MYSQL_ROOT_PASSWORD=12345",
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "MYSQL_MAJOR=5.7",
        "MYSQL_VERSION=5.7.7-rc"
    ]

Is there a way to hide/obfuscate environment parameters passed when launching containers. Alternatively, is it possible to pass sensitive parameters by reference to a file?

Original Q&A

There are 2 best solutions below

Adrian Mouat On 10 June 2015 at 12:12

Weirdly, I'm just writing an article on this.

I would advise against using environment variables to store secrets, mainly for the reasons Diogo Monica outlines here; they are visible in too many places (linked containers, docker inspect, child processes) and are likely to end up in debug info and issue reports. I don't think using an environment variable file will help mitigate any of these issues, although it would stop values getting saved to your shell history.

Instead, you can pass in your secret in a volume e.g:

$ docker run -v $(pwd)/my-secret-file:/secret-file ....

If you really want to use an environment variable, you could pass it in as a script to be sourced, which would at least hide it from inspect and linked containers (e.g. CMD source /secret-file && /run-my-app).

The main drawback with using a volume is that you run the risk of accidentally checking the file into version control.

A better, but more complicated solution is to get it from a key-value store such as etcd (with crypt), keywhiz or vault.

**user2915097** · Accepted Answer

user2915097 On 10 June 2015 at 12:00 BEST ANSWER

You say "Alternatively, is it possible to pass sensitive parameters by reference to a file?", extract from the doc http://docs.docker.com/reference/commandline/run/ --env-file=[] Read in a file of environment variables.

Hide/obfuscate environmental parameters in docker

There are 2 best solutions below

Related Questions in MYSQL

Related Questions in DOCKER

Trending Questions

Popular # Hahtags

Popular Questions