TDA Posted March 26, 2020 Share Posted March 26, 2020 Hello Everyone, I wanted to ask the community if someone managed to use Secrets File with Docker. I saw that on some Images (for example the one of linuxserver.io) there is the possibility to use secrets. From my understanding to make it work - I'll have to modify the variable which need the password adding at the beginning FILE__ and as value the filepath of the secretfile. But, since I'm here - obviously I haven't get it to work. Someone is using secrets with docker images of linuxserver.io ? Glad for any help. Cheers Quote Link to comment
neecapp Posted April 10, 2020 Share Posted April 10, 2020 Docker doesn't actually support secrets if you aren't running a swarm. Docker-compose secrets are just read-only bind mounts under the covers. If you are not using swarm, the plain-text of the "secret" is stored on disk anyway. There is a benefit to sharing secrets in this way; however, as you avoid unintentionally leaking sensitive environment variables between containers. In a compose file, this would be the same as using "secrets": version: "3.7" services: example: image: traefik:latest volumes: - type: bind source: ./secret_file.txt target: /var/secrets/secret_file.txt read_only: true Thoughts about the docker implementation in Unraid aside, you can add a file to your server and bind mount it through the UI or XML. If you really want to add secrets, you will have to setup your own vault. Quote Link to comment
L0rdRaiden Posted May 18, 2023 Share Posted May 18, 2023 But is there a benefit of using secrets with files vs including the secrets in environment variables, right? @neecapp https://gist.github.com/bvis/b78c1e0841cfd2437f03e20c1ee059fe I have tried to implement it like it is explained here, I am also using docker compose manager https://github.com/brokenscripts/authentik_traefik But I'm not sure what is the real path where I have to store the secrets, in the example is "/ssd/compose/secrets/authelia_notifier_smtp_password" What would be the path for docker compose in unraid? @primeval_god Any help or guidance will be welcome. Quote Link to comment
primeval_god Posted May 18, 2023 Share Posted May 18, 2023 5 hours ago, L0rdRaiden said: What would be the path for docker compose in unraid? @primeval_god I am not sure what you are asking here. Do you mean the path to the compose.manager project folder where the .yml file is? If so it depends on whether or not you specified a non-default directory when creating the stack. If it is the default directory its on the boot drive, but i recommend against placing custom files there. Better to have all your app specific files under your appdata folder and use absolute paths to resources in your compose file. If you are asking about some other path you will have to be more specific. Quote Link to comment
L0rdRaiden Posted May 19, 2023 Share Posted May 19, 2023 (edited) 9 hours ago, primeval_god said: I am not sure what you are asking here. Do you mean the path to the compose.manager project folder where the .yml file is? If so it depends on whether or not you specified a non-default directory when creating the stack. If it is the default directory its on the boot drive, but i recommend against placing custom files there. Better to have all your app specific files under your appdata folder and use absolute paths to resources in your compose file. If you are asking about some other path you will have to be more specific. I'm trying to use secrets with docker compose in unraid. Right now I'm using this compose ############################################################### # Nextcloud ############################################################### version: "3.9" # Services #################################################### services: db: image: postgres:alpine container_name: Nextcloud_Postgres restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] interval: 10s timeout: 5s retries: 10 networks: - nextcloud_network environment: - TZ - POSTGRES_PASSWORD - POSTGRES_USER - POSTGRES_DB #- POSTGRES_INITDB_ARGS #- POSTGRES_INITDB_WALDIR #- POSTGRES_HOST_AUTH_METHOD secrets: - POSTGRES_PASSWORD - POSTGRES_USER - POSTGRES_DB volumes: - /mnt/user/Docker/Nextcloud/postgres/data:/var/lib/postgresql/data:z labels: - "com.centurylinklabs.watchtower.enable=true" pgbackups: image: prodrigestivill/postgres-backup-local container_name: NextCloud_pgbackups restart: unless-stopped user: postgres:postgres # Optional: see below networks: - nextcloud_network volumes: - /mnt/user/Docker/Nextcloud/pgbackups:/backups links: - db depends_on: db: condition: service_healthy environment: - TZ - POSTGRES_HOST - POSTGRES_DB - POSTGRES_USER - POSTGRES_PASSWORD #- POSTGRES_PASSWORD_FILE=/run/secrets/db_password <-- alternative for POSTGRES_PASSWORD (to use with docker secrets) - POSTGRES_EXTRA_OPTS=-Z6 - SCHEDULE=0 1 */3 * * #At 01:00 AM, every 3 days - BACKUP_KEEP_DAYS=6 #- BACKUP_KEEP_WEEKS=4 #- BACKUP_KEEP_MONTHS=6 - HEALTHCHECK_PORT=5432 secrets: - POSTGRES_DB - POSTGRES_USER - POSTGRES_PASSWORD labels: - "com.centurylinklabs.watchtower.enable=true" redis: image: redis:alpine container_name: NextCloud_Redis restart: unless-stopped command: redis-server --requirepass $REDIS_HOST_PASSWORD volumes: - /mnt/user/Docker/Nextcloud/redis:/data environment: - TZ networks: - nextcloud_network secrets: - REDIS_HOST_PASSWORD labels: - "com.centurylinklabs.watchtower.enable=true" app: image: nextcloud:fpm-alpine container_name: Nextcloud restart: unless-stopped depends_on: db: condition: service_healthy networks: nextcloud_network: br1: ipv4_address: 10.10.40.161 dns: - 10.10.50.5 volumes: - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html:z - /mnt/user/Docker/Nextcloud/nextcloud/custom_apps:/var/www/html/custom_apps:z - /mnt/user/Docker/Nextcloud/nextcloud/config:/var/www/html/config:z - /mnt/user/Docker/Nextcloud/nextcloud/data:/var/www/html/data:z - /mnt/user/Personal/Nextcloud:/var/www/html/data - /mnt/user/Personal/Photos:/Albums environment: - TZ - POSTGRES_DB - POSTGRES_USER - POSTGRES_PASSWORD - POSTGRES_HOST - REDIS_HOST - REDIS_HOST_PASSWORD secrets: - POSTGRES_PASSWORD - POSTGRES_DB - POSTGRES_USER - REDIS_HOST_PASSWORD labels: - "com.centurylinklabs.watchtower.enable=true" web: build: ./web container_name: NextCloud_Nginx-fpm restart: unless-stopped networks: nextcloud_network: br1: ipv4_address: 10.10.40.160 ports: - 8080:80 dns: - 10.10.50.5 volumes: - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html:z,ro environment: - TZ depends_on: - app cron: image: nextcloud:fpm-alpine container_name: NextCloud_Cron restart: unless-stopped depends_on: - db - redis networks: - nextcloud_network volumes: - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html:z - /mnt/user/Docker/Nextcloud/nextcloud/custom_apps:/var/www/html/custom_apps:z - /mnt/user/Docker/Nextcloud/nextcloud/config:/var/www/html/config:z - /mnt/user/Docker/Nextcloud/nextcloud/data:/var/www/html/data:z - /mnt/user/Personal/Nextcloud:/var/www/html/data:z environment: - TZ entrypoint: /cron.sh labels: - "com.centurylinklabs.watchtower.enable=true" # Networks #################################################### networks: br1: driver: macvlan external: true nextcloud_network: internal: true # Docker Secrets ############################################## secrets: # POSTGRES_PASSWORD POSTGRES_PASSWORD: file: $DOCKERDIR/secrets/POSTGRES_PASSWORD.txt # POSTGRES_USER POSTGRES_USER: file: $DOCKERDIR/secrets/POSTGRES_USER.txt # POSTGRES_DB POSTGRES_DB: file: $DOCKERDIR/secrets/POSTGRES_DB.txt # REDIS_HOST_PASSWORD REDIS_HOST_PASSWORD: file: $DOCKERDIR/secrets/REDIS_HOST_PASSWORD.txt with this env file ############################################################### # Nextcloud ############################################################### DOCKERDIR=/boot/config/plugins/compose.manager/projects/Nextcloud TZ=Europe/Madrid PUID=99 PGID=100 # Redis #REDIS_HOST_PASSWORD=/run/secrets/REDIS_HOST_PASSWORD.txt REDIS_HOST_PASSWORD=password REDIS_HOST=redis # Postgres POSTGRES_PASSWORD=/run/secrets/POSTGRES_PASSWORD.txt POSTGRES_USER=/run/secrets/POSTGRES_USER.txt POSTGRES_DB=/run/secrets/POSTGRES_DB.txt POSTGRES_HOST=db but as you can see below the secrets are not being loaded correctly If I put the passwords in the env file it works I was trying to learn how to use secrets. I have the feeling that docker is not loading correctly the secrets from the path /boot/config/plugins/compose.manager/projects/Nextcloud/secrets Maybe it doesn't have access, or it's not the right path... I think I'm doing everything right but I have spend a few hours reading and trying to fix it without success https://docs.docker.com/compose/use-secrets/ Edited May 19, 2023 by L0rdRaiden Quote Link to comment
primeval_god Posted May 19, 2023 Share Posted May 19, 2023 I have never used secrets before with docker compose so I doubt i can be of much help. Just in general though I recommend against putting any additional files in the "/boot/config/plugins/compose.manager/projects/*" directories. I recommend putting any additional files for your compose stack somewhere under appdata (though it looks like you call your appdata folder "Docker"). If you must have something placed relative to the compose file, or really want to keep everything together, there is an advanced option when creating a stack that lets you specify the folder location in which to place the compose stack files. Again the recommendation would be under appdata. I dont know if this would have effect on your secrets issue, though maybe it is a permissions issue as the flash drive is fat32 formatted. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.