Issues with password in Docker .env

[modem7]

Heya,

Got a weird one, might be user error.

Trying to utilise the bcrypted password in a docker env file:

  timetagger:
    image: ghcr.io/almarklein/timetagger
    container_name: Timetagger
    networks:
      pihole:
        ipv4_address: '172.22.0.137'
    ports:
      - "43841:80"
    volumes:
      - $USERDIR/Timetagger:/root/_timetagger
    environment:
      - TIMETAGGER_BIND=0.0.0.0:80
      - TIMETAGGER_DATADIR=/root/_timetagger
      - TIMETAGGER_LOG_LEVEL=info
      - TIMETAGGER_CREDENTIALS=myuser:$$2a$$08$$qFFehmqHMmIwR91g77N9xOc.eA8pkRE64zXwJo/AR/fWTbGrEgHEm

If I enter the credentials as above, it works as expected.

If I try entering it as an env var it does not:

  timetagger:
    image: ghcr.io/almarklein/timetagger
    container_name: Timetagger
    networks:
      pihole:
        ipv4_address: '172.22.0.137'
    ports:
      - "43841:80"
    volumes:
      - $USERDIR/Timetagger:/root/_timetagger
    environment:
      - TIMETAGGER_BIND=0.0.0.0:80
      - TIMETAGGER_DATADIR=/root/_timetagger
      - TIMETAGGER_LOG_LEVEL=info
      - TIMETAGGER_CREDENTIALS=$TIMETAGUSER:$TIMETAGPASS

.env:

#Timetagger
TIMETAGUSER="myuser"
TIMETAGPASS="$$2a$$08$$qFFehmqHMmIwR91g77N9xOc.eA8pkRE64zXwJo/AR/fWTbGrEgHEm"

docker compose show config outputs the following:

  timetagger:
    container_name: Timetagger
    environment:
      TIMETAGGER_BIND: 0.0.0.0:80
      TIMETAGGER_CREDENTIALS: myuser:$$a$$$$$$qFFehmqHMmIwR91g77N9xOc.eA8pkRE64zXwJo/AR/fWTbGrEgHEm
      TIMETAGGER_DATADIR: /root/_timetagger
      TIMETAGGER_LOG_LEVEL: info

And obviously, if I don't escape the "$", I get the expected problem:

TIMETAGGER_CREDENTIALS: myuser:a$$qFFehmqHMmIwR91g77N9xOc.eA8pkRE64zXwJo/AR/fWTbGrEgHEm

Any thoughts?

I've posted it here too https://github.com/docker/compose/issues/9716 as it seems to be a weird bug with compose, but definitely something to consider as quite a few people use env files when they have a large compose file.

Maybe allow for b64 encodings of the bcrypt hash to remove the "$"/special characters to allow things to function more smoothly in Docker?

---

Docker Compose version v2.6.0

Client: Docker Engine - Community
 Version:           20.10.17
 API version:       1.41
 Go version:        go1.17.11
 Git commit:        100c701
 Built:             Mon Jun  6 23:02:57 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.17
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.17.11
  Git commit:       a89b842
  Built:            Mon Jun  6 23:01:03 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.6
  GitCommit:        10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc:
  Version:          1.1.2
  GitCommit:        v1.1.2-0-ga916309
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[modem7]

The solution for anyone else who wishes to do this:

In your .env file, single quote the value, but do not escape it.

.env file:

TIMETAGUSER="myuser"
TIMETAGPASS='$2a$08$qFFehmqHMmIwR91g77N9xOc.eA8pkRE64zXwJo/AR/fWTbGrEgHEm'

docker-compose file:

    environment:
      - TIMETAGGER_CREDENTIALS=$TIMETAGUSER:${TIMETAGPASS}

[almarklein]

Glad you figured that one out. So if I understand correctly, using the single quotes prevents the dollar signs to be evaluated as variables, right?

[modem7]

Glad you figured that one out. So if I understand correctly, using the single quotes prevents the dollar signs to be evaluated as variables, right?

That's correct.

• Double quotes break it.
• Double quotes with escaped dollar signs break it.
• Single quotes with escaped characters break it.

[almarklein]

I think I reopened this so that we can document this workaround.