Docker EE on Windows logs sensitive environment variables to the event log on a container exec failure

Archive Windows Server 2016
1

Expected behavior

When an exec to a container fails, it does not log the environment variables passed to the container in the windows event log.

Actual behavior

Environment variables passed to the docker container are displayed in clear text in the windows event log when an exec to that container fails.

“Error running exec [id] in container: container [id] encountered an error during CreateProcess: failure in Windows system call: The system cannot find the file specified.”

“Environment”:{var1: value1, va2: value2 …}

Information

This is an issue, for example, for the Microsoft SQL Server container, where the ‘sa’ password for the SQL instance is passed in using an environment variable on container start.

WIndows Server 2016
Docker EE 19.03.12

Steps to reproduce the behavior

  1. Pass a sensitive environment variable through to a docker container
  2. Start the container
  3. Attempt to exec to that container with a command that will fail
  4. Examine the event log and extract the sensitive value