docker
docker copied to clipboard
[Feature Request] Improve security by using docker secret for password
Please support "docker secrets" for passwords. Most major apps (and all databases) support this.
So instead of this:
version: "3.7"
services:
postgresql:
environment:
POSTGRES_PASSWORD: foo
# ...
odoo:
environment:
PASSWORD: foo
We can do this:
version: "3.7"
services:
postgresql:
secrets:
- postgresql_password
environment:
POSTGRES_PASSWORD_FILE: /run/secrets/odoo_postgresql_password # supported
# ...
odoo:
secrets:
- postgresql_password
environment:
PASSWORD_FILE: /run/secrets/odoo_postgresql_password # unsupported
secrets:
postgresql_password:
file: odoo_postgresql_password
This is more secure. Most secure database deployments do it like this, so odoo is the weak link in the chain (as we need to put the password in plaintext).
Here are the docs.
Duplicates #143
So what? That one has hardly any info. This one should be preferred as it clearly explains what needs to be done, and links to the appropriate docs.
@lonix1 you can check my fork if you need that It's already supported
https://github.com/llacroix/odoo-docker/blob/f70d0e59de5d7076edc2b30ec247a1ca589eaa2c/12.0/sudo-entrypoint.py#L63-79
That said, defining the environment variable PGPASSFILE should be enough as such:
odoo:
secrets:
- postgresql_password
environment:
PGPASSFILE: /run/secrets/odoo_postgresql_password # unsupported
secrets:
postgresql_password:
file: odoo_postgresql_password
Tought... The official images forces you to pass a password to check for connection to postgres.. But in reality it's not necessary if ENV variables are defined pg connect can be used as an empty string as done in odoo itself.
@llacroix Where would you use the ENV variable - it isn't supported?
@lonix1 psycopg2 does default to ENV variables if you don't provide any credentials here look in my entrypoint: https://github.com/llacroix/odoo-docker/blob/master/assets/entrypoint.py#L378
And in odoo: https://github.com/odoo/odoo/blob/cc47c76ee70ea684ab8352c47d1d06e7d8282b1b/odoo/sql_db.py#L599
If you insist on using the default odoo image, simply override the entrypoint as the entrypoint in the official images forces you to define a password to check if postgres is UP. But if you override the entrypoint odoo will be able to use ENV variables just fine.
@llacroix Thanks, now I understand. It's a nice workaround.
We still need native support by the odoo docker image though.
Yes, not arguing with that, it's ridiculous to require password to be set in cleartext in env variables. Those can easily get leaked in logs and stuff like that... And a simple "docker inspect" would display creds in cleartext too.