flame
flame copied to clipboard
pawelmalak
[BUG] Environment variable `PASSWORD_FILE` isn't considered
Deployment details:
- App version [e.g. v1.7.4]: 2.2.0
- Platform [e.g. amd64, arm64, arm/v7]: amd64
- Docker image tag [e.g. latest, multiarch]: 2.2.0
Bug description:
Environment variable PASSWORD_FILE isn't considered. Instead it looks like /run/secrets is scanned and contents are mapped to env variables.
Steps to reproduce:
- Set
PASSWORD_FILEenv variable e.g. to/run/secrets/flame-password(contains "averysecretpassword") - Bring the container up
- Observe the logs and see that
FLAME-PASSWORDinstead ofPASSWORDgets set - Try to login with "averysecretpassword"
- Login fails
Expected behaviour would be that PASSWORD gets to set of contents of the file referenced in PASSWORD_FILE. No matter where PASSWORD_FILE points to.
for me docker secrets doesn't seem to work... My log shows:
[2022-01-06 13:00:18.615 UTC+0] [INFO] FLAME_PWD was overwritten with docker secret value
[2022-01-06 13:00:18.649 UTC+0] [INFO] Server is running on port 5005 in production mode
[2022-01-06 13:00:28.201 UTC+0] [ERROR] Invalid credentials
[2022-01-06 13:00:18.644 UTC+0] [INFO] Connected to database
[2022-01-06 13:00:18.649 UTC+0] [INFO] Socket: listen
[2022-01-06 13:00:28.201 UTC+0] [ERROR] Invalid credentials
In addition:
If you set PASSWORD: <yourpass> and PASSWORD_FILE: /run/secrets/FLAME_PWD (containing <yourpass>) you can log in.
version: '2.1'
services:
flame:
image: pawelmalak/flame
container_name: flame
volumes:
- ./data:/app/data
#- /var/run/docker.sock:/var/run/docker.sock # optional but required for Docker integration feature
# ports:
# - 5005:5005
restart: unless-stopped
environment:
PASSWORD: my-secret-pass
PASSWORD_FILE: /run/secrets/FLAME_PWD
secrets:
- FLAME_PWD
networks:
- reverseproxy-nw
networks:
reverseproxy-nw:
external: true
secrets:
# Secrets are single-line text files where the sole content is the secret
# Paths in this example assume that secrets are kept in local folder called ">
FLAME_PWD:
file: .secrets/flame_pwd
that's my current docker-compose file. The contents of the FLAME_PWD match the value off PASSWORD.
If I run the compose file like this:
version: '2.1'
services:
flame:
image: pawelmalak/flame
container_name: flame
volumes:
- ./data:/app/data
#- /var/run/docker.sock:/var/run/docker.sock # optional but required for Docker integration feature
# ports:
# - 5005:5005
restart: unless-stopped
environment:
PASSWORD_FILE: /run/secrets/FLAME_PWD
secrets:
- FLAME_PWD
networks:
- reverseproxy-nw
networks:
reverseproxy-nw:
external: true
secrets:
# Secrets are single-line text files where the sole content is the secret
# Paths in this example assume that secrets are kept in local folder called ">
FLAME_PWD:
file: .secrets/flame_pwd
My Password isn't correct...
Got the same issue. Could it be, that the secret file has to be called password? Would be quite inconvienient in a larger compose stack.
@KillerTic Exactly this is the case. Sorry if I didn't make this clear enough in initial description.
Oh okay. This is a little inconvienient. I have currently 14 secrets of which 8 are passwords. If I would have another docker needing it to be password as well, I would have a problem.
I am used to, that you can just name the file whatever you want. If that is not possible here, could the variable then at least be called "flame_password"?
Oh okay. This is a little inconvienient. I have currently 14 secrets of which 8 are passwords. If I would have another docker needing it to be password as well, I would have a problem.
I am used to, that you can just name the file whatever you want. If that is not possible here, could the variable then at least be called "flame_password"?
I second this, greatly appreciated it if you could make the change
For those who stumble upon the same issue, I've written a quick and dirty patch for this.
Relevant sections of my flame service in docker-compose.yml:
environment:
- PASSWORD_SECRET=flame_password
secrets:
- flame_password
volumes:
- '/root/flame-patches:/mnt/patches'
command: /bin/sh -c 'apk add --no-cache patch && patch -l -N -t -p2 -i /mnt/patches/password_secret.patch /app/utils/init/initDockerSecrets.js; chown -R node /app/data && node server.js'
And my /root/flame-patches/password_secret.patch:
--- utils-orig/init/initDockerSecrets.js
+++ utils/init/initDockerSecrets.js
@@ -9,6 +9,13 @@
for (const property in secrets) {
const upperProperty = property.toUpperCase();
+ if (property == process.env["PASSWORD_SECRET"]) {
+
+ process.env["PASSWORD"] = secrets[property];
+
+ logger.log(`PASSWORD was overwritten with ${property} docker secret value`);
+ }
+
process.env[upperProperty] = secrets[property];
logger.log(`${upperProperty} was overwritten with docker secret value`);
This lets you use any secret name, like flame_password in my example, to be provided through the PASSWORD_SECRET environment variable.
This patching technique will avoid having to maintain your own image, until the patch breaks and needs to be adapted to new code.
I tried but look like it got rejected
(1/1) Installing patch (2.7.6-r7)
Executing busybox-1.34.1-r4.trigger
OK: 8 MiB in 17 packages
patching file /app/utils/init/initDockerSecrets.js
Hunk #1 FAILED at 9 (different line endings).
1 out of 1 hunk FAILED -- saving rejects to file /app/utils/init/initDockerSecrets.js.rej
[2023-03-26 10:09:53.704 UTC+4] [INFO] FLAME_PASSWORD was overwritten with docker secret value
[2023-03-26 10:09:53.779 UTC+4] [INFO] Connected to database
[2023-03-26 10:09:53.792 UTC+4] [INFO] Socket: listen
[2023-03-26 10:09:53.792 UTC+4] [INFO] Server is running on port 5005 in production mode
[2023-03-26 10:11:10.594 UTC+4] [ERROR] Invalid credentials
[2023-03-26 10:11:19.206 UTC+4] [ERROR] Invalid credentials
[2023-03-26 10:16:14.966 UTC+4] [ERROR] Invalid credentials
this is my original initDockerSecrets.js file
const { getSecrets } = require('docker-secret');
const Logger = require('../Logger');
const logger = new Logger();
const initDockerSecrets = () => {
try {
const secrets = getSecrets();
for (const property in secrets) {
const upperProperty = property.toUpperCase();
process.env[upperProperty] = secrets[property];
logger.log(`${upperProperty} was overwritten with docker secret value`);
}
} catch (e) {
logger.log(`Failed to initialize docker secrets. Error: ${e}`, 'ERROR');
}
};
module.exports = initDockerSecrets;
I tried but look like it got rejected
I fixed the patch command above, with -l it will apply the patch even if the newline doesn't match.
The issue appears because flame's code has been written on a Windows system (CRLF) and never converted to UNIX style (LF), so depending on the system used to copy my file above the patch will work or not. The -l option tells patch to ignore whitespace (including newlines).
I tried but look like it got rejected
I fixed the patch command above, with -l it will apply the patch even if the newline doesn't match.
The issue appears because flame's code has been written on a Windows system (CRLF) and never converted to UNIX style (LF), so depending on the system used to copy my file above the patch will work or not. The -l option tells patch to ignore whitespace (including newlines).
Thanks for that, I went down the route of unix2dos password_secret.patch and then add --binary to command which worked. But -l to the command is simpler.
@pawelmalak if you comment this line https://github.com/pawelmalak/flame/blob/3c347c854c4c55456785ff026a703422d8f02f62/.docker/Dockerfile#L28C1-L28C1
and both options will work as expected otherwise the Environment varialble PASSWORD already defined in your image has priority and the secret will never work. Except if you override the code like they have done above, but it's easier to remove just that line.
-l wasnt working for me so I changed it to --binary
command: /bin/sh -c 'apk add --no-cache patch && patch --binary -N -t -p2 -i /mnt/patches/password_secret.patch /app/utils/init/initDockerSecrets.js; chown -R node /app/data && node server.js'