New to Docker here. I’m trying to create a basic Dockerfile where I run a python script that runs some queries in postgres through psycopg2. I currently have a pgpass file setup in my environment variables so that I can run these tools without supplying a password in the code. I’m trying to replicate this in Docker. I have windows on my local.
FROM datascienceschool/rpython as base RUN mkdir /test WORKDIR /test COPY requirements.txt requirements.txt RUN pip install -r requirements.txt COPY main_airflow.py /test RUN cp C:Usersuser.nameAppDataRoamingpostgresqlpgpass.conf /test ENV PGPASSFILE="test/pgpass.conf" ENV PGUSER="user" ENTRYPOINT ["python", "/test/main_airflow.py"]
This is what I’ve tried in my Dockerfile. I’ve tried to copy over my pgpassfile and set it as my environment variable. Apologies if I have a forward/backslashes wrong, or syntax. I’m very new to Docker, Linux, etc.
Any help or alternatives would be appreciated
Advertisement
Answer
It’s better to pass your secrets into the container at runtime than it is to include the secret in the image at build-time. This means that the Dockerfile doesn’t need to know anything about this value.
For example
$ export PGPASSWORD=<postgres password literal> $ docker run -e PGPASSWORD <image ref>
Now in that example, I’ve used PGPASSWORD, which is an alternative to PGPASSFILE. It’s a little more complicated to do this same if you’re using a file, but that would be something like this:
The plan will be to mount the credentials as a volume at runtime.
FROM datascienceschool/rpython as base RUN mkdir /test WORKDIR /test COPY requirements.txt requirements.txt RUN pip install -r requirements.txt COPY main_airflow.py /test ENV PGPASSFILE="/credentials/pgpass.conf" ENV PGUSER="user" ENTRYPOINT ["python", "/test/main_airflow.py"]
As I said above, we don’t want to include the secrets in the image. We are going to indicate where the file will be in the image, but we don’t actually include it yet.
Now, when we start the image, we’ll mount a volume containing the file at the location specified in the image, /credentials
$ docker run --mount src="<host path to directory>",target="/credentials",type=bind <image ref>
I haven’t tested this so you may need to adjust the exact paths and such, but this is the idea of how to set sensitive values in a docker container