Protecting Sensitive Information in Docker Compose
Jan. 3, 2018, 11:06 a.m. by Avery Uslaner
Hide Yo Passwords!
If you have multiple containers in a swarm service, this won't be the path for you. If you do have a docker swarm service, check out docker secrets.
I however, don't have a swarm, and I don't see any benefit in converting my setup into a swarm of size one, as the docker secret docs offer as a suggestion. So instead, I'll be using good ol' environment variables. The problem however, is that I want to share as much of my code publicly as possible but without exposing any sensitive information. To this end, I'll be using the handy env_file option in my docker-compose file.
You can specify the file location like so:
version: '3' services: # PostGIS database db: env_file: /opt/db_secrets.env image: my_postgis # Redis redis: image: redis:3.2.11 hostname: redis # RabbitMQ rabbit: hostname: rabbit image: rabbitmq:3.7.2 env_file: /opt/rabbit_secrets.env # Django web server web: build: . env_file: /opt/django_secrets.env command: python manage.py runserver 0.0.0.0:8000 volumes: - .:/code ports: - "8000:8000" depends_on: - db
I've opted to store my environment variable files in the /opt directory, far from my source control directory so I don't accidently end up pushing anything I don't intend to make public.
Make sure to define the environment variables within those files using the following notation, with one credential per line:
Now, the only thing left to do is modify the file permissions for the sake of the docker container:
sudo chown root:docker rabbit_secrets.env sudo chmod 740 /opt/rabbit_secrets.env
And now you're ready to roll.