docker-neo4j icon indicating copy to clipboard operation
docker-neo4j copied to clipboard

Published 20 hours ago verified publisher icon neo4j

Allow for passing sensitive settings through files

Open gkapkowski opened this issue 7 years ago • 3 comments

As in some images provided on Docker Hub allow for setting *_FILE environment variables for passing sensitive data like passwords.

Example from PostgreSQL https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh#L8

gkapkowski avatar Jun 13 '17 09:06 gkapkowski

This is already possible in a way.

You can specify any neo4j configuration option via environment variables (https://neo4j.com/docs/operations-manual/current/installation/docker/#docker-environment-variables) and docker run supports --env-file argument to set environment variables from a file. (https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e-env-env-file)

The security implications seem slightly better here than in the approach taken by postgres:

  • Host environment: You have a file with the password in it (both approaches)
  • Docker environment: You have an environment variable with the password in it (both approaches)
  • Docker environment: You have a file with the password in it (only postgres approach)

but I might be missing something else. I'm not sure what

[...] Docker's secrets feature)

is referring to and how that operates.

spacecowboy avatar Jun 13 '17 13:06 spacecowboy

Yeah, I was thinking about --env-file but my current setup doesn't allow me to do it easily.

I'm using Rancher and their Secrets (https://docs.rancher.com/rancher/v1.6/en/cattle/secrets/) implementation allows only mounted /run/secrets/mysecret (inside container) files at the moment.

Kubernetes (https://kubernetes.io/docs/concepts/configuration/secret/) has both options for file + environment variable so it will be working even now.

Ideal solution for me would be for images to allow passing sensitive data through files mounted by docker secrets. This would lead to situation when the only place sensitive data is visible is inside docker container through file (where file permissions could be used to further secure it).

Feel free to close this issue. I'll write a wrapper that will suite my needs for now. Hopefully some standard way of dealing with secrets will emerge soon.

gkapkowski avatar Jun 14 '17 09:06 gkapkowski

Can we have this?

Joshuaalbert avatar Mar 15 '23 17:03 Joshuaalbert