Cli: Add --env-file to docker exec

Created on 21 Feb 2019  路  5Comments  路  Source: docker/cli

I miss-filed this under moby (https://github.com/moby/moby/issues/38754) and they told me to come here

Description

This is a follow up to https://github.com/moby/moby/issues/14036. --env-file is a secure way to pass an environment that contains sensitive data. Without it my data becomes shy, the cache flushes and all my bits go down the drain.

I think the work-around is to docker cp the environment file and source it, but that means I also have to fix it up with quotes, escapes, etc.

Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
I don't like Chicken

Output of docker version:
Output of docker info:

#  docker --version && docker info
Docker version 18.09.1, build 4c52b90
Containers: 4
 Running: 0
 Jumping: 0
 Walking: 0
 Lying down: 0
 Paused: 0
 Stopped: 4
Images: 69
Server Version: 18.09.1
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 96ec2177ae841256168fcf76954f7177af9446eb
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-131-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.772GiB
Name: [censored]
ID: [censored]
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

exbeginner exintermediate kinfeature
Source
picture daniel-santos
👍28

Most helpful comment

for whoever waiting for the new release and having the possibility to run bash scripts

# we do this until the new work on docker-exec --env-file is released
function generate_env
{
    INLINE_ENV=$(echo $(grep -v -E '^(#.*|[[:space:]]*|.*=\s*)$' "${SCRIPT_DIR}/.env.ci" | while read line; do echo "-e $line"; done))
    echo "$INLINE_ENV"
}

The above method will generate a string like -e VAR1=VALUE -e VAR2=... removing all comments and empty lines before creating this string.

docker exec $(generate_env) ...

picture nolazybits on 23 Jul 2020
👍3

All 5 comments

Hi. Any progress on it?

markoffk picture markoffk on 19 Jun 2020

I don't think anyone worked on this.

Just to set expectations right;

  1. docker exec already inherits environment-variables that were set on the container itself, so this feature would only be useful to set other env-vars used for the duration of the docker exec

    docker run -dit --env HELLO=WORLD --name mycontainer busybox

docker exec --env FOO=BAR mycontainer env                                                                               Tue Jun 23 16:02:39 2020
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=39a58f6d9f95
HELLO=WORLD
FOO=BAR
HOME=/root

  2. the --env-file option would have the same limitations as docker run --env-file (e.g., no support for multi-line values, no support for files that have (e.g.) export FOO=BAR)

  3. more of a remark: env-vars are not really that secure; they can be read by other processes, and could easily end up in logs. For example, on a daemon with debug logs enabled, the above command shows up in the logs as;

    level=debug msg="Calling POST /v1.40/containers/mycontainer/exec"
level=debug msg="form data: {\"AttachStderr\":true,\"AttachStdin\":false,\"AttachStdout\":true,\"Cmd\":[\"env\"],\"Detach\":false,\"DetachKeys\":\"\",\"Env\":[\"FOO=BAR\"],\"Privileged\":false,\"Tty\":false,\"User\":\"\",\"WorkingDir\":\"\"}"
level=debug msg="Calling POST /v1.40/exec/712b9f880e51fd6d99b284672045f1563070a9d37473d2c891a859b790841dc9/start"

Given that we already have --env and the code to read --env-file's, I personally would be ok for this to be implemented (and would accept a PR if someone wants to work on it), but perhaps @cpuguy83 @silvin-lubecki think otherwise

thaJeztah picture thaJeztah on 23 Jun 2020

No opposition here, though it seems odd to want to add a bunch of envs to an exec.

cpuguy83 picture cpuguy83 on 23 Jun 2020

Same here, I'm ok with this feature 馃憤

silvin-lubecki picture silvin-lubecki on 23 Jun 2020

for whoever waiting for the new release and having the possibility to run bash scripts

# we do this until the new work on docker-exec --env-file is released
function generate_env
{
    INLINE_ENV=$(echo $(grep -v -E '^(#.*|[[:space:]]*|.*=\s*)$' "${SCRIPT_DIR}/.env.ci" | while read line; do echo "-e $line"; done))
    echo "$INLINE_ENV"
}

The above method will generate a string like -e VAR1=VALUE -e VAR2=... removing all comments and empty lines before creating this string.

docker exec $(generate_env) ...

nolazybits picture nolazybits on 23 Jul 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zopyx picture zopyx  路  4Comments
kinghuang picture kinghuang  路  4Comments
bossmc picture bossmc  路  4Comments
thaJeztah picture thaJeztah  路  5Comments
johanneswuerbach picture johanneswuerbach  路  4Comments