Dropped use of env_file and moved to docker secrets. #51
Conversation
| @@ -32,13 +31,13 @@ services: | |||
| - MW_RECAPTCHA_SITE_KEY | |||
| - MW_RECAPTCHA_SECRET_KEY | |||
| - MW_ADMIN_USER | |||
| - MW_ADMIN_PASS | |||
| - MW_ADMIN_PASS_FILE=/run/secrets/mw_admin_pass | |||
There was a problem hiding this comment.
There is no MW_ADMIN_PASS_FILE environment and nothing handles reading the password from file on the wiki container so this won't work
There was a problem hiding this comment.
this won't work
this will work fine. Yes we have no the MW_ADMIN_PASS_FILE env variable, but we have the code to read the /run/secrets/mw_admin_pass and use it if one exists
There was a problem hiding this comment.
That's right, I was unaware of the changes that made the image read from /run/secrets/mw_admin_pass , but since this is not related to the ENV variable let's have it removed then
| - MW_DB_NAME | ||
| - MW_DB_INSTALLDB_USER=root | ||
| - MW_DB_INSTALLDB_PASS | ||
| - MW_DB_INSTALLDB_PASS_FILE=/run/secrets/db_root_password |
There was a problem hiding this comment.
Same here, we don't have MW_DB_INSTALLDB_PASS_FILE env
There was a problem hiding this comment.
Same as for #51 (comment) , lets remove the ENV then?
| - MW_DB_PASS=$MW_DB_INSTALLDB_PASS | ||
| - MW_SECRET_KEY | ||
| - MW_DB_PASS_FILE=/run/secrets/db_root_password | ||
| - MW_SECRET_KEY_FILE=/run/secrets/mw_secret_key |
| restart: unless-stopped | ||
| profiles: | ||
| - production | ||
| volumes: | ||
| - ./updateEFO:/updateEFO | ||
| - ./_logs/updateEFO:/var/log/updateEFO | ||
| - ./updateEFO/rotatelogs-compress.sh:/rotatelogs-compress.sh | ||
| secrets: | ||
| - efo_secrets |
There was a problem hiding this comment.
Noting that just mounting the secrets file won't do anything by itself aside from mounting the secret as a file into /run/secrets. Something still need to read this file and ensure the values from the file are propagated to the configuration.
In case of the updateEFO there are envs like MW_BOT_USER , MW_BOT_PASSWORD and MW_UPDATE_EFO_PAUSE in use. This case also nicely highlights the reason why we're getting rid of the env_file usage - with env_file it's challenging to list the variables needed on the Compose file due to various limitations applied by the Compose https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/#use-the-env_file-attribute
| profiles: | ||
| - production | ||
| restart: unless-stopped | ||
| links: | ||
| - db | ||
| environment: | ||
| - MW_DB_USER=root | ||
| - MW_DB_PASS=$MW_DB_INSTALLDB_PASS | ||
| - MW_DB_PASS_FILE=/run/secrets/db_root_password |
There was a problem hiding this comment.
Won't work by the same reason - there is nothing that uses MW_DB_PASS_FILE env to read a value from a file and store into MW_DB_PASS
There was a problem hiding this comment.
Same as #51 (comment) , let's get rid of the ENV then
| secrets: | ||
| - db_root_password | ||
| - mw_admin_pass | ||
| - mw_secret_key |
| @@ -32,13 +31,13 @@ services: | |||
| - MW_RECAPTCHA_SITE_KEY | |||
| - MW_RECAPTCHA_SECRET_KEY | |||
| - MW_ADMIN_USER | |||
| - MW_ADMIN_PASS | |||
| - MW_ADMIN_PASS_FILE=/run/secrets/mw_admin_pass | |||
There was a problem hiding this comment.
this won't work
this will work fine. Yes we have no the MW_ADMIN_PASS_FILE env variable, but we have the code to read the /run/secrets/mw_admin_pass and use it if one exists
| profiles: | ||
| - production | ||
| restart: unless-stopped | ||
| links: | ||
| - db | ||
| environment: | ||
| - MW_DB_USER=root | ||
| - MW_DB_PASS=$MW_DB_INSTALLDB_PASS | ||
| - MW_DB_PASS_FILE=/run/secrets/db_root_password |
| - MW_DB_NAME | ||
| - MW_DB_INSTALLDB_USER=root | ||
| - MW_DB_INSTALLDB_PASS | ||
| - MW_DB_INSTALLDB_PASS_FILE=/run/secrets/db_root_password |
| - MW_DB_PASS=$MW_DB_INSTALLDB_PASS | ||
| - MW_SECRET_KEY | ||
| - MW_DB_PASS_FILE=/run/secrets/db_root_password | ||
| - MW_SECRET_KEY_FILE=/run/secrets/mw_secret_key |
Dropped use of env_file and moved to docker secrets.
MBSD-312