2

From examples I've seen one can set environment variables in docker-compose.yml like so:

services:
  postgres:
    image: my_node_app
    ports: -8080:8080
    environment:
      APP_PASSWORD: mypassword
      ...

For security reasons, my use case requires me to fetch the password from a server that we have a bash client for:

#!/bin/bash
get_credential <server> <dev-environment> <role> <key>

In docker documentation, I found this, which says that I can pass in shell environment variable values to docker compose. So I can run the bash client to grab the passwords in my starting shell that creates the docker instances. However, that requires me to have my bash client outside docker and inside my maven project.

Another way to do this would be to run/cmd/entrypoint a bash script that can set environment variable for the docker instance. Since my docker image runs node.js, currently my Dockerfile is like this:

FROM node:4-slim
MAINTAINER myself

# ... do Dockerfile stuff

# TRIAL #1: run a bash script to set the environment varable --- UNSUCCESSFUL!
COPY set_en_var.sh /
RUN chmod +x /set_en_var.sh
RUN /bin/bash /set_en_var.sh

# original entry point
#ENTRYPOINT ["node", "mynodeapp.js", "configuration.js"]

# TRIAL #2: use a bash script as entrypoint that sets
# the environment variable and runs my node app .            --- UNSUCCESSFUL TOO!
ENTRYPOINT ["/entrypoint.sh"]

Here is the code for entrypoint.sh:

. mybashclient.sh
cred_str=$(get_credential <server> <dev-environment> <role> <key>)
export APP_PASSWORD=( $cred_str )

# run the original entrypoint command
node mynodeapp.js configuration.js

And here is code for my set_en_var.sh:

. mybashclient.sh
cred_str=$(get_credential <server> <dev-environment> <role> <key>
export APP_PASSWORD=( $cred_str )

So 2 questions:

  1. Which is a better choice, having my bash client for password live inside docker or outside docker?
  2. If I were to have it inside docker, how can I use cmd/run/entrypoint to achieve this?
Improve this question
4
  • What does . mybashclient.sh do? What is the content of mybashclient.sh? Commented Jul 27, 2017 at 16:56
  • Also ports: -8080:8080. I hope the - is a typo Commented Jul 27, 2017 at 16:59
  • @TarunLalwani . mybashclient.sh is supposed to source the script. And the script contains a function called get_credential. Commented Jul 27, 2017 at 17:10
  • Got it. Read my answer then Commented Jul 27, 2017 at 17:12

1 Answer 1

Reset to default
0

Which is a better choice, having my bash client for password live inside docker or outside docker?

Always have it inside. You don't want dependencies on the host OS. You want to avoid that situation as much as possible

If I were to have it inside docker, how can I use cmd/run/entrypoint to achieve this?

Consider the below line of code you used

RUN /bin/bash /set_en_var.sh

This won't work at all. Because you don't make any change to the docker container as such. You just run a bash which gets some environment variables and then the bash exits and nothing on the OS gets changes. Dockerfile build will only maintain changes that happened to the OS from that command. And in your case except for that session of the bash, nothing changes.

Next your approach to do this during the build time is also not justified. If you build it with the environment variables inside it then you are breaking the purpose of having a command to fetch the latest credentials. Suppose your change the password, then this would require you to rebuild the image (in case it had worked)

Now your entrypoint.sh approach is the right one and it should work. You should just check what is going wrong with it. Also echo the cred_str for your testing to make sure you are getting the right credentials detail back from the command

Last you should change the line

node mynodeapp.js configuration.js

to

exec node mynodeapp.js configuration.js

This makes sure that your node process becomes the PID 1.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I made the suggested changes. The docker file can be built and I can do docker run on it. It shows in docker ps that command is /entrypoint.sh. But when I do docker inspect, I don't see any environment variable named APP_PASSWORD, although I do see things like: "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NPM_CONFIG_LOGLEVEL=info", "NODE_VERSION=4.8.4",
I did not even use the client script to grab live passwords. I just used a stand in like this: export APP_PASSWORD="LOCAL"
Found out that I did get the environment variable in the docker container, just not in the root process. It's actually visible in the spawned node process. Thanks for the explanation.
Yes that is right. You can always check that using ps auxe or you can even use cat /proc/1/environ | tr '\0' '\n' to see the environment of PID. This would only work if you used exec to get node the PID 1

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.