ghost icon indicating copy to clipboard operation
ghost copied to clipboard
verified publisher icon docker-library

Add support for Docker Compose secrets

Open simonrolfmore opened this issue 11 months ago • 2 comments

Ghost doesn't currently have support for file-based Docker Compose secrets, which makes it harder to give Ghost its own user name/password, store the secret in a file separate from the Compose file etc.

MySQL has support for this in their docker container, and I have used their docker-entrypoint.sh file to add support for file-based secrets to the following config entries:

  • database__connection__host
  • database__connection__user
  • database__connection__password
  • database__connection__database
  • mail__auth__user
  • mail__auth__pass

I'm currently running the container with my own docker-entrypoint.sh which has these changes, but I figure it would be useful to upstream this for others who may run into the same problem.

I have a PR ready, which I will link to the issue shortly.

simonrolfmore avatar Feb 08 '25 18:02 simonrolfmore

All of these environment variables are ones that are supported directly by Ghost, not ones we've created/invented ourselves, so I'd be extremely hesitant to codify them (or any additional behavior for them) in our scripts. 🤔

Does Ghost not have a built-in mechanism for reading these values from files instead? I guess from their perspective it's perhaps strange to want to read these variable values from files and not simply use a configuration file instead, but this means of secrets-via-files is not entirely unique to the container ecosystem: https://systemd.io/CREDENTIALS/

Duplicate of https://github.com/docker-library/ghost/issues/125

tianon avatar Feb 10 '25 23:02 tianon

The script simply looks for specified variables with _file appended, and sets the matching environment variable (i.e. without _file) to the value of the file contents. If a "clash" is detected (i.e. someone has set the variable directly and using a file), it throws an error to avoid inconsistent behaviour. The existing environment variables continue to work exactly without any changes, and if Ghost adds any new variables, those will work just fine with no tweaks to the script: this is purely additive.

MySQL uses this exact script to do the same thing: https://github.com/docker-library/mysql/blob/df3a5c483a5e8c3c4d1eae61678fa5372c403bf0/8.0/docker-entrypoint.sh#L28

Ghost is a Node.js app using a single JSON file (config.production.json) for configuration, with environment variable overrides for individual entries (which is why the variables have these strange __ separated names), so setting variables by file, to set an environment variable, which overrides a JSON file, feels a bit... "around the houses". However, it is substantially cleaner, simpler, and less fragile than messing with the initialisation scripts to merge values into JSON files directly.

If you feel strongly about not incorporating this, feel free to close the PR and I'll just keep on using my version. I simply wanted to help others avoid setting secrets on the command line where it's risky.

simonrolfmore avatar Feb 11 '25 20:02 simonrolfmore

https://github.com/docker-library/ghost/pull/430#issuecomment-2718690451

yosifkit avatar Mar 12 '25 18:03 yosifkit