yopass icon indicating copy to clipboard operation
yopass copied to clipboard

Published 20 hours ago verified publisher icon jhaals

Question: Best Practices for updating and upgrading yopass with docker

Open crowzer0 opened this issue 3 years ago • 2 comments

I use docker-compose in my installation. Now when I do an update:

docker-compose pull
docker-compose down
docker-compose up -d

I would delete all secrets that have not yet been retrieved.

Are there any best practices here already or am I missing something?

Credits: Thanks for the project and the many great work! I have been looking for this tool for a long time.

crowzer0 avatar Sep 22 '21 10:09 crowzer0

@crowzer0 , have you found a solution yet?

JackHewson avatar Aug 12 '22 20:08 JackHewson

All the data is stored into memcached, so you can't stop it, otherwise you'll lose everything On the other hand, compose allow to restart only the containers requiring it, like when stopped, or when the image was updated So it is possible to upgrade yopass by following this process :

# change the version in the .env if you don't use latest
vi .env

# pull the image
docker pull jhaals/yopass:<version or latest>

# yopass is still running, update its container, memcached won't be changed
docker-compose up -d

With this, the data will be kept and Yopass updated

Still, this left memcached which won't be updated. Memcached allow to retrieve the statistics directly with telnet, which is still cumbersome. There's a little trick possible with netcat : you can pipe any data to netcat that will be sent to the target ip and port So instead of using telnet, it is possible to do this with netcat : echo stats | nc 127.0.0.1 11211 (notice: netcat syntax change slightly depending of the distro. Here, the port must be separated with a space)

It will return a lot of lines, and specifically this one : STAT curr_items 4 That's the number of stored secrets. If Yopass didn't have any, the number would be 0

This will work with a local memcached instance, but not with all setup, like when activating an internal docker network. Instead, just add another service to the yopass docker-compose.yml file with a profile, which will prevent it to start automatically

# To have this working : 
#    docker-compose version =>1.28 
#    version: '3.0' <= minimum or more

  # retrieve memcached statistics in the docker instance - call with: compose run --rm <service>
  yopass-stats:
    image: "memcached:alpine"
    networks:
      - yopass

    # using profiles will prevent the service to auto-start with "compose up" if not specified as argument
    profiles: ["stats"]
    entrypoint: /bin/sh
    command:  -c "echo 'stats' | /usr/bin/nc memcached:11211 | grep -i 'curr_items'"
    depends_on:
      - memcached

Remove the network block if you don't use one. Start with : docker-compose run --rm yopass-stats This will be returned :

 docker-compose run --rm yopass-stats
[+] Running 1/0
 ⠿ Container yopass-memcached-1  Running                                                                                                                                                           0.0s
STAT curr_items 4

If curr_items is equal to 0, you can happily run a docker-compose pull/down/up -d Otherwise, as I described : pull the yopass image manually, then run only up -d,

Daryes avatar Sep 30 '22 20:09 Daryes