Docker PostgreSQL exposing passwords? [closed]

Question

Closed. This question is not about programming or software development. It is not currently accepting answers.

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed last month.

Improve this question

The Docker Postgres samples library provides examples of starting a postgreSQL instance via docker run or using docker-compose file, both are shown below respectively.

The docker run call is exposing the password in the command and the docker-compose file exposes the password which could be viewed on Github. I've learnt to never expose credentials in this way and always retrieve from the environment. Is there a right way to dockerize postgreSQL with security in mind? Or is this secure and my understanding is incorrect?

docker run example:

docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d postgres

docker-compose example:

version: '3.1' 
services:
    db:
        image: postgres
        restart: always
        environment:
            POSTGRES_PASSWORD: example

Andreas Jägle · Accepted Answer · 2017-09-28 06:50:08Z

5

Indeed, even if those systems are not exposed publicly it's better to not have any credentials visible in source control.

There is an easy way to circumvent listing those values by simply omitting the right part of the environment definition and only listing the variable name. This way you can set the password in your shell beforehand and docker or docker compose will use it.

environment:
  - POSTGRES_PASSWORD

And then running it via

POSTGRES_PASSWORD=pass docker-compose up -d

Additionally there is a concept of secrets which are a way to store credentials and allow access only to specified containers.

See more at docker secrets

answered Sep 28, 2017 at 6:50

Andreas Jägle

12.4k3 gold badges33 silver badges33 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

joshweir · Accepted Answer · 2017-10-05 01:56:15Z

2

To add to the accepted answer, it's worth noting that as long as you have specified the environment variable in the docker-compose.yml file:

environment: 
  - POSTGRES_PASSWORD

and the current shell environment has the POSTGRES_PASSWORD already set, the following docker-compose command will inherit the POSTGRES_PASSWORD environment variable:

docker-compose up -d

No need to prefix it to the docker-compose up -d command.

answered Oct 5, 2017 at 1:56

joshweir

5,6853 gold badges43 silver badges67 bronze badges

Comments

Lethargos · Accepted Answer · 2021-02-06 23:17:34Z

0

A trick would be to leave a literally .env file on the server where you're deploying which only contains the secrets.

Inside that file you can have to the effect of:

POSTGRES_PASSWORD=password
etc.

Moreover:

By default, the docker-compose command will look for a file named .env in the project directory (parent folder of your Compose file).

But I wouldn't rely on that, I would explicitly add the environment directive in the docker-compose to make it clear that external environmental variables are loaded.

answered Feb 6, 2021 at 23:17

Lethargos

7507 silver badges16 bronze badges

Collectives™ on Stack Overflow

Docker PostgreSQL exposing passwords? [closed]

3 Answers 3

Comments

Comments

Comments

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

Comments

Comments

Related