Using docker secrets in PHP app

I am trying to deploy my PHP app in the docker container. Using docker secret I want to store the password of the MySQL database. First I created a docker secret mysql_password. My docker-compose file is -

version: '3.9'
services:
    php:
        image: 'php:7.2-fpm'
        build:
            context: ./docker
            dockerfile: php.Dockerfile
        volumes:
            - './app:/var/www/html'
        environment:
            MYSQL_PASSWORD_FILE: /run/secrets/mysql_password
        secrets:
            - mysql_password

    nginx:
        image: nginx:latest
        ports:
            - '80:80'
        links:
            - 'php'
        volumes:
            - './app:/var/www/html'
            - './config/nginx:/etc/nginx/conf.d'
secrets:
    mysql_password:
        external: true
  • When I try to access the secret ‘mysql_password’ is is not returning anything. And if I try environment element ‘MYSQL_PASSWORD_FILE’, it is giving me the path of secret that is ‘/run/secrets/mysql_password’.
  • To access environment variable in PHP I have used .$_ENV[“mysql_password”]

Hi

how did you create the secret?
because that file should CONTAIN your secret.

if your secret is in a key=value format, like mysql_password=randompassword

then you can instead of “enviroment:” use “env_file”

and point it to the secret file, then you should be able to use it at $_ENV or getenv(‘mysql_password’)

I created secret using command echo "my_password" | docker secret create mysql_password.
I tried -

env_file:
        - /run/secrets/MYSQL_PASSWORD

When I run docker-compose or docker stack deploy, it is trying to find the env file at my local

ERROR: Couldn’t find env file: D:\run\secrets\MYSQL_PASSWORD

Same problem here. The secrets are working within a Mysql image but does not inside a php container. I didn’t find any solution to this issue, look like it’s a bug from Docker or from the PHP image…

How do you try to read the secret file? It works for me as it shoud.

getenv(‘MY_ENVVAR’)

it is giving me the path of the secret (same as shrikantkunte30) but not the secret.

i use php:7.2.1-apache

Secrets are NOT environment variables unless PHP FPM somehow reads it but I don’t think so. So you have to read the files.

Just out of curiousity: why would a variable that points to a path, suddenly contains the file’s content itself? From docker perspective the secret and env variable are unrelated, the entrypoint script or the application inside the container needs to take care of the relation.

secrets have two purposes: in a swarm cluster the secret details doesn’t need to be cleartext on the cluster nodes (they are encrypted while “rolled out” to the nodes) + the containers do not leak the secret details thru env variables.

update: @rimelek was faster :slight_smile:

When in a mysql you use the secrets

secrets:
    - mysql-user
//====
MYSQL_USER: /run/secrets/mysql-user
// ====
secrets:
  mysql-user:
    external: true

You get an Env Var don’t you ? (if no secret you do MYSQL_USER: “userName”, you do not read a file).

So yes, for me it’s kind of strange(or at least not consistent) that in a PHP(or any other langage, i don’t know) image we now have to read from a file.

Whatever, thank you very much for the help.

You don’t set MYSQL_USER to a file. You set MYSQL_USER_FILE to the secret file. At least with latest versions. That variable will exist in the container and the entrypoint of the mysql container reads it:

You won’t have the password among the environment variables when you enter the container and run env

root@4589d94eed45:/# env | sort
GOSU_VERSION=1.12
HOME=/root
HOSTNAME=4589d94eed45
MYSQL_MAJOR=8.0
MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password
MYSQL_VERSION=8.0.27-1debian10
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=0
TERM=xterm
_=/usr/bin/env

Note: I used MYSQL_ROOT_PASSWORD_FILE not MYSQL_USER_FILE but it works the same way.

You can do the same with PHP-FPM if you want to, but just because one image support it, doesn’t mean all of them will support it :slight_smile: so it is our job to implement it.

Thank you for the explaination, very helpful. Thank you.