I miss-filed this under moby (https://github.com/moby/moby/issues/38754) and they told me to come here
Description
This is a follow up to https://github.com/moby/moby/issues/14036. --env-file is a secure way to pass an environment that contains sensitive data. Without it my data becomes shy, the cache flushes and all my bits go down the drain.
I think the work-around is to docker cp the environment file and source it, but that means I also have to fix it up with quotes, escapes, etc.
Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
I don't like Chicken
Output of docker version:
Output of docker info:
# docker --version && docker info
Docker version 18.09.1, build 4c52b90
Containers: 4
Running: 0
Jumping: 0
Walking: 0
Lying down: 0
Paused: 0
Stopped: 4
Images: 69
Server Version: 18.09.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 96ec2177ae841256168fcf76954f7177af9446eb
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-131-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.772GiB
Name: [censored]
ID: [censored]
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.):
Hi. Any progress on it?
I don't think anyone worked on this.
Just to set expectations right;
docker exec already inherits environment-variables that were set on the container itself, so this feature would only be useful to set other env-vars used for the duration of the docker exec
docker run -dit --env HELLO=WORLD --name mycontainer busybox
docker exec --env FOO=BAR mycontainer env Tue Jun 23 16:02:39 2020
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=39a58f6d9f95
HELLO=WORLD
FOO=BAR
HOME=/root
the --env-file option would have the same limitations as docker run --env-file (e.g., no support for multi-line values, no support for files that have (e.g.) export FOO=BAR)
more of a remark: env-vars are not really that secure; they can be read by other processes, and could easily end up in logs. For example, on a daemon with debug logs enabled, the above command shows up in the logs as;
level=debug msg="Calling POST /v1.40/containers/mycontainer/exec"
level=debug msg="form data: {\"AttachStderr\":true,\"AttachStdin\":false,\"AttachStdout\":true,\"Cmd\":[\"env\"],\"Detach\":false,\"DetachKeys\":\"\",\"Env\":[\"FOO=BAR\"],\"Privileged\":false,\"Tty\":false,\"User\":\"\",\"WorkingDir\":\"\"}"
level=debug msg="Calling POST /v1.40/exec/712b9f880e51fd6d99b284672045f1563070a9d37473d2c891a859b790841dc9/start"
Given that we already have --env and the code to read --env-file's, I personally would be ok for this to be implemented (and would accept a PR if someone wants to work on it), but perhaps @cpuguy83 @silvin-lubecki think otherwise
No opposition here, though it seems odd to want to add a bunch of envs to an exec.
Same here, I'm ok with this feature 馃憤
for whoever waiting for the new release and having the possibility to run bash scripts
# we do this until the new work on docker-exec --env-file is released
function generate_env
{
INLINE_ENV=$(echo $(grep -v -E '^(#.*|[[:space:]]*|.*=\s*)$' "${SCRIPT_DIR}/.env.ci" | while read line; do echo "-e $line"; done))
echo "$INLINE_ENV"
}
The above method will generate a string like -e VAR1=VALUE -e VAR2=... removing all comments and empty lines before creating this string.
docker exec $(generate_env) ...
Most helpful comment
for whoever waiting for the new release and having the possibility to run bash scripts
The above method will generate a string like
-e VAR1=VALUE -e VAR2=...removing all comments and empty lines before creating this string.docker exec $(generate_env) ...