Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Unraid 6.8.3 - Docker and Secrets File

Featured Replies

Hello Everyone,

I wanted to ask the community if someone managed to use Secrets File with Docker.
I saw that on some Images (for example the one of linuxserver.io) there is the possibility to use secrets.

From my understanding to make it work - I'll have to modify the variable which need the password adding at the beginning FILE__ and as value the filepath of the secretfile.


But, since I'm here - obviously I haven't get it to work.

Someone is using secrets with docker images of linuxserver.io ?


Glad for any help.

 

Cheers

  • 3 weeks later...

Docker doesn't actually support secrets if you aren't running a swarm. Docker-compose secrets are just  read-only bind mounts under the covers.

 

If you are not using swarm, the plain-text of the "secret" is stored on disk anyway. There is a benefit to sharing secrets in this way; however, as you avoid unintentionally leaking sensitive environment variables between containers.

 

In a compose file, this would be the same as using "secrets":

version: "3.7"
services:
  example:
    image: traefik:latest
    volumes:
      - type: bind
        source: ./secret_file.txt
        target: /var/secrets/secret_file.txt
        read_only: true

 

Thoughts about the docker implementation in Unraid aside, you can add a file to your server and bind mount it through the UI or XML.

 

If you really want to add secrets, you will have to setup your own vault.

  • 3 years later...

But is there a benefit of using secrets with files vs including the secrets in environment variables, right? @neecapp

https://gist.github.com/bvis/b78c1e0841cfd2437f03e20c1ee059fe

 

I have tried to implement it like it is explained here, I am also using docker compose manager

https://github.com/brokenscripts/authentik_traefik

 

But I'm not sure what is the real path where I have to store the secrets, in the example is

"/ssd/compose/secrets/authelia_notifier_smtp_password"

 

What would be the path for docker compose in unraid? @primeval_god

 

Any help or guidance will be welcome.

  • Community Expert
5 hours ago, L0rdRaiden said:

What would be the path for docker compose in unraid? @primeval_god

I am not sure what you are asking here. Do you mean the path to the compose.manager project folder where the .yml file is? If so it depends on whether or not you specified a non-default directory when creating the stack. If it is the default directory its on the boot drive, but i recommend against placing custom files there. Better to have all your app specific files under your appdata folder and use absolute paths to resources in your compose file. 
If you are asking about some other path you will have to be more specific.

9 hours ago, primeval_god said:

I am not sure what you are asking here. Do you mean the path to the compose.manager project folder where the .yml file is? If so it depends on whether or not you specified a non-default directory when creating the stack. If it is the default directory its on the boot drive, but i recommend against placing custom files there. Better to have all your app specific files under your appdata folder and use absolute paths to resources in your compose file. 
If you are asking about some other path you will have to be more specific.

 

I'm trying to use secrets with docker compose in unraid.

 

Right now I'm using this

 

compose

###############################################################
# Nextcloud
###############################################################

version: "3.9"

# Services ####################################################

services:

  db:
    image: postgres:alpine
    container_name: Nextcloud_Postgres
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 10s
      timeout: 5s
      retries: 10
    networks:
      - nextcloud_network
    environment:
      - TZ
      - POSTGRES_PASSWORD
      - POSTGRES_USER
      - POSTGRES_DB
      #- POSTGRES_INITDB_ARGS
      #- POSTGRES_INITDB_WALDIR
      #- POSTGRES_HOST_AUTH_METHOD
    secrets:
      - POSTGRES_PASSWORD
      - POSTGRES_USER
      - POSTGRES_DB
    volumes:
      - /mnt/user/Docker/Nextcloud/postgres/data:/var/lib/postgresql/data:z
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  pgbackups:
    image: prodrigestivill/postgres-backup-local
    container_name: NextCloud_pgbackups  
    restart: unless-stopped
    user: postgres:postgres # Optional: see below
    networks:
      - nextcloud_network    
    volumes:
      - /mnt/user/Docker/Nextcloud/pgbackups:/backups
    links:
      - db
    depends_on:
      db:
        condition: service_healthy
    environment:
      - TZ
      - POSTGRES_HOST
      - POSTGRES_DB
      - POSTGRES_USER
      - POSTGRES_PASSWORD
     #- POSTGRES_PASSWORD_FILE=/run/secrets/db_password <-- alternative for POSTGRES_PASSWORD (to use with docker secrets)
      - POSTGRES_EXTRA_OPTS=-Z6
      - SCHEDULE=0 1 */3 * * #At 01:00 AM, every 3 days
      - BACKUP_KEEP_DAYS=6
     #- BACKUP_KEEP_WEEKS=4
     #- BACKUP_KEEP_MONTHS=6
      - HEALTHCHECK_PORT=5432
    secrets:
      - POSTGRES_DB
      - POSTGRES_USER
      - POSTGRES_PASSWORD
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  redis:
    image: redis:alpine
    container_name: NextCloud_Redis
    restart: unless-stopped
    command: redis-server --requirepass $REDIS_HOST_PASSWORD
    volumes:
      - /mnt/user/Docker/Nextcloud/redis:/data
    environment:
      - TZ
    networks:
      - nextcloud_network
    secrets:
      - REDIS_HOST_PASSWORD    
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  app:
    image: nextcloud:fpm-alpine
    container_name: Nextcloud
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    networks:
      nextcloud_network:
      br1:
        ipv4_address: 10.10.40.161
    dns:
      - 10.10.50.5
    volumes:
      - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html:z
      - /mnt/user/Docker/Nextcloud/nextcloud/custom_apps:/var/www/html/custom_apps:z
      - /mnt/user/Docker/Nextcloud/nextcloud/config:/var/www/html/config:z
      - /mnt/user/Docker/Nextcloud/nextcloud/data:/var/www/html/data:z
      - /mnt/user/Personal/Nextcloud:/var/www/html/data
      - /mnt/user/Personal/Photos:/Albums
    environment:
      - TZ
      - POSTGRES_DB
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - POSTGRES_HOST
      - REDIS_HOST
      - REDIS_HOST_PASSWORD
    secrets:
      - POSTGRES_PASSWORD
      - POSTGRES_DB
      - POSTGRES_USER
      - REDIS_HOST_PASSWORD
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  web:
    build: ./web
    container_name: NextCloud_Nginx-fpm
    restart: unless-stopped
    networks:
      nextcloud_network:
      br1:
        ipv4_address: 10.10.40.160
    ports:
      - 8080:80
    dns:
      - 10.10.50.5
    volumes:
      - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html:z,ro
    environment:
      - TZ
    depends_on:
      - app

  cron:
    image: nextcloud:fpm-alpine
    container_name: NextCloud_Cron
    restart: unless-stopped
    depends_on:
      - db
      - redis
    networks:
      - nextcloud_network
    volumes:
      - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html:z
      - /mnt/user/Docker/Nextcloud/nextcloud/custom_apps:/var/www/html/custom_apps:z
      - /mnt/user/Docker/Nextcloud/nextcloud/config:/var/www/html/config:z
      - /mnt/user/Docker/Nextcloud/nextcloud/data:/var/www/html/data:z
      - /mnt/user/Personal/Nextcloud:/var/www/html/data:z
    environment:
      - TZ
    entrypoint: /cron.sh
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

# Networks ####################################################

networks:
  br1:
    driver: macvlan
    external: true
  nextcloud_network:
    internal: true

# Docker Secrets ##############################################

secrets:
  # POSTGRES_PASSWORD
  POSTGRES_PASSWORD:
    file: $DOCKERDIR/secrets/POSTGRES_PASSWORD.txt
  # POSTGRES_USER
  POSTGRES_USER:
    file: $DOCKERDIR/secrets/POSTGRES_USER.txt
  # POSTGRES_DB
  POSTGRES_DB:
    file: $DOCKERDIR/secrets/POSTGRES_DB.txt
  # REDIS_HOST_PASSWORD
  REDIS_HOST_PASSWORD:
    file: $DOCKERDIR/secrets/REDIS_HOST_PASSWORD.txt

 

with this env file

 

 

###############################################################
# Nextcloud
###############################################################

DOCKERDIR=/boot/config/plugins/compose.manager/projects/Nextcloud
TZ=Europe/Madrid
PUID=99
PGID=100

# Redis

#REDIS_HOST_PASSWORD=/run/secrets/REDIS_HOST_PASSWORD.txt
REDIS_HOST_PASSWORD=password

REDIS_HOST=redis

# Postgres

POSTGRES_PASSWORD=/run/secrets/POSTGRES_PASSWORD.txt
POSTGRES_USER=/run/secrets/POSTGRES_USER.txt
POSTGRES_DB=/run/secrets/POSTGRES_DB.txt

POSTGRES_HOST=db

 

but as you can see below the secrets are not being loaded correctly

imagen.png.981c99b1bce9568c1e9c24654ca09edf.png

 

If I put the passwords in the env file it works I was trying to learn how to use secrets.

 

I have the feeling that docker is not loading correctly the secrets from the path

/boot/config/plugins/compose.manager/projects/Nextcloud/secrets

 

Maybe it doesn't have access, or it's not the right path...

I think I'm doing everything right but I have spend a few hours reading and trying to fix it without success

https://docs.docker.com/compose/use-secrets/

Edited by L0rdRaiden

  • Community Expert

I have never used secrets before with docker compose so I doubt i can be of much help. Just in general though I recommend against putting any additional files in the "/boot/config/plugins/compose.manager/projects/*" directories. I recommend putting any additional files for your compose stack somewhere under appdata (though it looks like you call your appdata folder "Docker"). If you must have something placed relative to the compose file, or really want to keep everything together, there is an advanced option when creating a stack that lets you specify the folder location in which to place the compose stack files. Again the recommendation would be under appdata. I dont know if this would have effect on your secrets issue, though maybe it is a permissions issue as the flash drive is fat32 formatted. 

  • 2 years later...

For anyone that is seeing this years down the road, the secrets files don't actually sit in the boot directories, but are only accessible within the docker containers and are deleted at each boot. As far as a solution for anyone that sees this, I don't have one yet.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.