Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

docker run samples should use --env-file for secrets

See original GitHub issue

We should help our consumers to be secure by default. That means we should not pass secrets via regular environment variables but use --env-file

If we do this, we should also guide them on minimal required config and how to create a file.

Good suggestion by @mabsimms

Examples

Example with Azure Monitor secret in a file

docker run -d -p 8999:80 --name promitor-agent-scraper /
                         --env PROMITOR_AUTH_APPID='<azure-ad-app-id>'   \
                         --env-file C:/Promitor/az-mon-auth.creds /
                         --volume C:/Promitor/metric-config.yaml:/config/metrics-declaration.yaml /
                         tomkerkhove/promitor-agent-scraper:1.0.0-preview-3

Example with all Azure Monitor config in a file

docker run -d -p 8999:80 --name promitor-agent-scraper /
                         --env-file C:/Promitor/az-mon-auth.creds /
                         --volume C:/Promitor/metric-config.yaml:/config/metrics-declaration.yaml /
                         tomkerkhove/promitor-agent-scraper:1.0.0-preview-3

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
mabsimmscommented, Apr 16, 2019

If I can retrieve credentials from CLI or the file, I’m inherently authorized to do so (aka, I’m already on the other side of the airtight hatchway). The information exposure risk is more about certain conditions where the process start arguments are available to non-elevated contexts.

For example:

# Run this elevated from user context "A"
sudo docker run -p 8000:8000 --env SECRET=mysecret --name whoami -t jwilder/whoami

# Now as user "B" do a little process check
ps -ax | grep SECRET
209281 pts/1    S+     0:00 sudo docker run -p 8000:8000 --env SECRET=mysecret --name whoami -t jwilder/whoami
0reactions
reminders[bot]commented, May 5, 2019

👋 @tomkerkhove, verify the status of this issue

Read more comments on GitHub >

github_iconTop Results From Across the Web

What Is the Docker .env File and How Do You Use It?
Docker .env file holds all the sensitive passwords and configuration data so they don't have to be planted in the container itself.
Read more >
How to use secrets in Docker Compose
Getting a secret into a container is a two-step process. First, define the secret using the top-level secrets element in your Compose file....
Read more >
A complete guide to using environment variables and files ...
The goal of this article is show you the benefits of working with environment variables in Docker and to demonstrate how to do...
Read more >
Docker secrets passing as environment variable
Docker Swarm simply lacks good pracitces and proper examples for passing secret to env variable. IMHO best way is to use entrypoint as...
Read more >
Inject secrets into Docker containers without exposing them
This guide will help you inject secrets as environment variables into containers at runtime. This means secrets do not have to be baked...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Provide capability to scrape multiple resources under on metrics, aggregated with labels per resource

Next page

Switch to runtime configuration YAML