I am trying to deploy my PHP app in the docker container. Using docker secret I want to store the password of the MySQL database. First I created a docker secret mysql_password. My docker-compose file is -
When I try to access the secret ‘mysql_password’ is is not returning anything. And if I try environment element ‘MYSQL_PASSWORD_FILE’, it is giving me the path of secret that is ‘/run/secrets/mysql_password’.
To access environment variable in PHP I have used .$_ENV[“mysql_password”]
Same problem here. The secrets are working within a Mysql image but does not inside a php container. I didn’t find any solution to this issue, look like it’s a bug from Docker or from the PHP image…
Just out of curiousity: why would a variable that points to a path, suddenly contains the file’s content itself? From docker perspective the secret and env variable are unrelated, the entrypoint script or the application inside the container needs to take care of the relation.
secrets have two purposes: in a swarm cluster the secret details doesn’t need to be cleartext on the cluster nodes (they are encrypted while “rolled out” to the nodes) + the containers do not leak the secret details thru env variables.
You get an Env Var don’t you ? (if no secret you do MYSQL_USER: “userName”, you do not read a file).
So yes, for me it’s kind of strange(or at least not consistent) that in a PHP(or any other langage, i don’t know) image we now have to read from a file.
You don’t set MYSQL_USER to a file. You set MYSQL_USER_FILE to the secret file. At least with latest versions. That variable will exist in the container and the entrypoint of the mysql container reads it:
You won’t have the password among the environment variables when you enter the container and run env
Note: I used MYSQL_ROOT_PASSWORD_FILE not MYSQL_USER_FILE but it works the same way.
You can do the same with PHP-FPM if you want to, but just because one image support it, doesn’t mean all of them will support it so it is our job to implement it.