Using docker secrets in PHP app

shrikantkunte30 · May 21, 2021, 8:13am

I am trying to deploy my PHP app in the docker container. Using docker secret I want to store the password of the MySQL database. First I created a docker secret mysql_password. My docker-compose file is -

version: '3.9'
services:
    php:
        image: 'php:7.2-fpm'
        build:
            context: ./docker
            dockerfile: php.Dockerfile
        volumes:
            - './app:/var/www/html'
        environment:
            MYSQL_PASSWORD_FILE: /run/secrets/mysql_password
        secrets:
            - mysql_password

    nginx:
        image: nginx:latest
        ports:
            - '80:80'
        links:
            - 'php'
        volumes:
            - './app:/var/www/html'
            - './config/nginx:/etc/nginx/conf.d'
secrets:
    mysql_password:
        external: true

When I try to access the secret ‘mysql_password’ is is not returning anything. And if I try environment element ‘MYSQL_PASSWORD_FILE’, it is giving me the path of secret that is ‘/run/secrets/mysql_password’.
To access environment variable in PHP I have used .$_ENV[“mysql_password”]

terpz · May 22, 2021, 7:33pm

Hi

how did you create the secret?
because that file should CONTAIN your secret.

if your secret is in a key=value format, like mysql_password=randompassword

then you can instead of “enviroment:” use “env_file”

and point it to the secret file, then you should be able to use it at $_ENV or getenv(‘mysql_password’)

shrikantkunte30 · May 24, 2021, 5:30am

I created secret using command echo "my_password" | docker secret create mysql_password.
I tried -

env_file:
        - /run/secrets/MYSQL_PASSWORD

When I run docker-compose or docker stack deploy, it is trying to find the env file at my local

ERROR: Couldn’t find env file: D:\run\secrets\MYSQL_PASSWORD

djedjethai · December 24, 2021, 8:19am

Same problem here. The secrets are working within a Mysql image but does not inside a php container. I didn’t find any solution to this issue, look like it’s a bug from Docker or from the PHP image…

rimelek · December 24, 2021, 1:49pm

How do you try to read the secret file? It works for me as it shoud.

djedjethai · December 25, 2021, 9:43am

getenv(‘MY_ENVVAR’)

it is giving me the path of the secret (same as shrikantkunte30) but not the secret.

i use php:7.2.1-apache

rimelek · December 25, 2021, 10:11am

Secrets are NOT environment variables unless PHP FPM somehow reads it but I don’t think so. So you have to read the files.

meyay · December 25, 2021, 10:24am

Just out of curiousity: why would a variable that points to a path, suddenly contains the file’s content itself? From docker perspective the secret and env variable are unrelated, the entrypoint script or the application inside the container needs to take care of the relation.

secrets have two purposes: in a swarm cluster the secret details doesn’t need to be cleartext on the cluster nodes (they are encrypted while “rolled out” to the nodes) + the containers do not leak the secret details thru env variables.

update: @rimelek was faster

djedjethai · December 25, 2021, 11:16am

When in a mysql you use the secrets

secrets:
    - mysql-user
//====
MYSQL_USER: /run/secrets/mysql-user
// ====
secrets:
  mysql-user:
    external: true

You get an Env Var don’t you ? (if no secret you do MYSQL_USER: “userName”, you do not read a file).

So yes, for me it’s kind of strange(or at least not consistent) that in a PHP(or any other langage, i don’t know) image we now have to read from a file.

Whatever, thank you very much for the help.

rimelek · December 25, 2021, 11:57am

You don’t set MYSQL_USER to a file. You set MYSQL_USER_FILE to the secret file. At least with latest versions. That variable will exist in the container and the entrypoint of the mysql container reads it:

github.com

docker-library/mysql/blob/15fe7357b165ee8aaa3ce165386f910a53a75087/8.0/docker-entrypoint.sh#L39

    
      
          	local var="$1"
          	local fileVar="${var}_FILE"
          	local def="${2:-}"
          	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
          		mysql_error "Both $var and $fileVar are set (but are exclusive)"
          	fi
          	local val="$def"
          	if [ "${!var:-}" ]; then
          		val="${!var}"
          	elif [ "${!fileVar:-}" ]; then
          		val="$(< "${!fileVar}")"
          	fi
          	export "$var"="$val"
          	unset "$fileVar"
          }
          
          
# check to see if this file is being run or sourced from another script
          _is_sourced() {
          	# https://unix.stackexchange.com/a/215279
          	[ "${#FUNCNAME[@]}" -ge 2 ] \
          		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \

You won’t have the password among the environment variables when you enter the container and run env

root@4589d94eed45:/# env | sort
GOSU_VERSION=1.12
HOME=/root
HOSTNAME=4589d94eed45
MYSQL_MAJOR=8.0
MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password
MYSQL_VERSION=8.0.27-1debian10
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=0
TERM=xterm
_=/usr/bin/env

Note: I used MYSQL_ROOT_PASSWORD_FILE not MYSQL_USER_FILE but it works the same way.

You can do the same with PHP-FPM if you want to, but just because one image support it, doesn’t mean all of them will support it so it is our job to implement it.

djedjethai · December 25, 2021, 2:08pm

Thank you for the explaination, very helpful. Thank you.