semaphore
semaphore copied to clipboard
semaphoreui
Docker security - support secrets
It would be helpful for the docker image and compose example to properly support Docker secrets. Generally this is achieved by adding an env var NNNN_FILE where NNNN is any env var that should contain sensitive info. The NNNN_FILE will then be pointed to a mounted secret containing the sensitive data and the docker container/software will need to read that file rather than the NNNN env var.
See postgres' own docker container and POSTGRES_PASSWORD_FILE as an example of implementation.
I went through the code in deployment/docker/common/semaphore-wrapper to figure out how hard this might be and it turns out the only lack is in the documentation.
I'm not so great at documentation either. ;)
Thanks @alaricljs, I was plan to open a merge request in order to add this feature. I would like to use docker-compose secrets and reading settings from file instead of env vars is essential
You can indeed set some of the variables through a secret. Below is an example compose file
version: '3.7'
services:
mysql:
#restart: unless-stopped
image: mysql:8.0
secrets:
- semaphore_dbuser
- semaphore_dbpassword
hostname: mysql
volumes:
- semaphore-mysql:/var/lib/mysql
environment:
MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
MYSQL_DATABASE: semaphore
MYSQL_USER_FILE: /run/secrets/semaphore_dbuser
MYSQL_PASSWORD_FILE: /run/secrets/semaphore_dbpassword
semaphore:
ports:
- 3000:3000
image: semaphoreui/semaphore:latest
secrets:
- semaphore_dbuser
- semaphore_dbpassword
- semaphore_admin_user
- semaphore_adminpassword
- semaphore_accesskey
environment:
SEMAPHORE_DB_USER_FILE: /run/secrets/semaphore_dbuser
SEMAPHORE_DB_PASS_FILE: /run/secrets/semaphore_dbpassword
SEMAPHORE_DB_HOST: mysql # for postgres, change to: postgres
SEMAPHORE_DB_PORT: 3306 # change to 5432 for postgres
SEMAPHORE_DB_DIALECT: mysql # for postgres, change to: postgres
SEMAPHORE_DB: semaphore
SEMAPHORE_PLAYBOOK_PATH: /tmp/semaphore/
SEMAPHORE_ADMIN_PASSWORD_FILE: /run/secrets/semaphore_adminpassword
SEMAPHORE_ADMIN_NAME: admin
SEMAPHORE_ADMIN_EMAIL: admin@localhost
SEMAPHORE_ADMIN_FILE: /run/secrets/semaphore_admin_user
SEMAPHORE_ACCESS_KEY_ENCRYPTION_FILE: /run/secrets/semaphore_accesskey
#SEMAPHORE_LDAP_PASSWORD_FILE:
depends_on:
- mysql
volumes:
semaphore-mysql:
secrets:
semaphore_adminpassword:
external: true
semaphore_dbuser:
external: true
semaphore_accesskey:
external: true
semaphore_admin_user:
external: true
semaphore_database:
external: true
semaphore_dbpassword:
external: true
I think this can be closed with a quick reference to the _FILE vars in the documentation.
Indeed this is implemented BUT missing in documentation... I had to dig in code to find out https://github.com/semaphoreui/semaphore/blob/cde8515fb13cde353c496bec35f00a336947a219/deployment/docker/debug/server-wrapper#L5
The location of server-wrapper is now here: https://github.com/semaphoreui/semaphore/blob/develop/deployment/docker/server/server-wrapper
At the time of writing (2025-04-13 20:26 UTC) only the following seem to support _FILE:
- 'SEMAPHORE_DB_USER'
- 'SEMAPHORE_DB_PASS'
- 'SEMAPHORE_ADMIN'
- 'SEMAPHORE_ADMIN_PASSWORD'
- 'SEMAPHORE_LDAP_PASSWORD'
- 'SEMAPHORE_ACCESS_KEY_ENCRYPTION'
(if this changes later, and you want to check, use the symbols view on the right-hand side of Github, and click the file_env() function to find the references in the file)
Has anyone managed to get the SEMAPHORE_LDAP_PASSWORD_FILE variable working? When I use this environment variable, I get the following error: msg="LDAP Result Code 206 "Empty password not allowed by the client": ldap: empty password not allowed by the client".
It seems that Semaphore does not recognize the SEMAPHORE_LDAP_PASSWORD_FILE variable.
Also, on the configuration page for the Docker Compose file: https://semaphoreui.com/install/docker/2_15 the variable has a different name: SEMAPHORE_LDAP_BIND_PASSWORD, which also doesn’t work for me when I add the _FILE suffix.
