docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon odoo

[Feature Request] Improve security by using docker secret for password

Open lonix1 opened this issue 4 years ago • 8 comments

Please support "docker secrets" for passwords. Most major apps (and all databases) support this.

So instead of this:

version: "3.7"
services:

  postgresql:
    environment:
      POSTGRES_PASSWORD: foo
    # ...

  odoo:
    environment:
      PASSWORD: foo

We can do this:

version: "3.7"
services:

  postgresql:
    secrets:
      - postgresql_password
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/odoo_postgresql_password     # supported
    # ...

  odoo:
    secrets:
      - postgresql_password
    environment:
      PASSWORD_FILE: /run/secrets/odoo_postgresql_password              # unsupported

  secrets:
    postgresql_password:
      file: odoo_postgresql_password

This is more secure. Most secure database deployments do it like this, so odoo is the weak link in the chain (as we need to put the password in plaintext).

Here are the docs.

lonix1 avatar Mar 11 '20 09:03 lonix1

Duplicates #143

gn-jgeerds avatar Apr 28 '20 08:04 gn-jgeerds

So what? That one has hardly any info. This one should be preferred as it clearly explains what needs to be done, and links to the appropriate docs.

lonix1 avatar Apr 28 '20 13:04 lonix1

@lonix1 you can check my fork if you need that It's already supported

https://github.com/llacroix/odoo-docker/blob/f70d0e59de5d7076edc2b30ec247a1ca589eaa2c/12.0/sudo-entrypoint.py#L63-79

llacroix avatar May 02 '20 00:05 llacroix

That said, defining the environment variable PGPASSFILE should be enough as such:

  odoo:
    secrets:
      - postgresql_password
    environment:
      PGPASSFILE: /run/secrets/odoo_postgresql_password              # unsupported

  secrets:
    postgresql_password:
      file: odoo_postgresql_password

Tought... The official images forces you to pass a password to check for connection to postgres.. But in reality it's not necessary if ENV variables are defined pg connect can be used as an empty string as done in odoo itself.

llacroix avatar May 02 '20 03:05 llacroix

@llacroix Where would you use the ENV variable - it isn't supported?

lonix1 avatar May 02 '20 04:05 lonix1

@lonix1 psycopg2 does default to ENV variables if you don't provide any credentials here look in my entrypoint: https://github.com/llacroix/odoo-docker/blob/master/assets/entrypoint.py#L378

And in odoo: https://github.com/odoo/odoo/blob/cc47c76ee70ea684ab8352c47d1d06e7d8282b1b/odoo/sql_db.py#L599

If you insist on using the default odoo image, simply override the entrypoint as the entrypoint in the official images forces you to define a password to check if postgres is UP. But if you override the entrypoint odoo will be able to use ENV variables just fine.

llacroix avatar May 02 '20 20:05 llacroix

@llacroix Thanks, now I understand. It's a nice workaround.

We still need native support by the odoo docker image though.

lonix1 avatar May 03 '20 04:05 lonix1

Yes, not arguing with that, it's ridiculous to require password to be set in cleartext in env variables. Those can easily get leaked in logs and stuff like that... And a simple "docker inspect" would display creds in cleartext too.

llacroix avatar May 03 '20 17:05 llacroix