Docker-transmission-openvpn: Support for docker secrets

Created on 18 Jun 2018  路  14Comments  路  Source: haugene/docker-transmission-openvpn

In the latest version of docker, it has a facility for using "secrets", such that they don't have to be entered onto the command line or left in unencrypted files like docker-compose.yml.

Can this image be modified to look for the openvpn password there?

I've found several solutions for this, but they all require doing up my own Dockerfile and messing with the entrypoint, something I don't feel comfortable doing.

enhancement help wanted
Source
picture NoMoreNicksLeft
👍1

All 14 comments

It would be nice, I'd also like to use it for TRANSMISSION_RPC_PASSWORD, however I think the problem is jwilder/dockerize doesn't support secret injection into templates.

So the obvious options I can think of are to either fix this upsteam (i.e. in jwilder/dockerize), or to move to a different templating engine that does support this, I had a quick poke around and found markriggins/dockerfy, not sure if it's suitable, and it hasn't been updated for a while, but maybe that's fine, or maybe there are other alternatives.

mustanggb picture mustanggb on 13 Jul 2018

I'd love for this issue to be revisited. If I can move my credentials to a secrets file, then I could more easily share my docker-compose with others!

Carbohydron picture Carbohydron on 10 Mar 2019
👍1

Bump! I'm hoping that eventually this feature will be implemented.

Carbohydron picture Carbohydron on 29 Nov 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 5 Apr 2020

Bump! I'm still hoping for this feature

Carbohydron picture Carbohydron on 5 Apr 2020

feel free to create a PR, I had a quick look and there is a PR on jwilder/dockerize to support this but that project doesnt update much ...

pkishino picture pkishino on 3 Jun 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 2 Aug 2020

Feel free to re-open this issue if you think it deserves another look.

stale[bot] picture stale[bot] on 9 Aug 2020

Allright. So stale bot closed this one, but I had it in the back of my mind and wanted to have a look at it. It seems to me like this feature would make most sense in a Docker swarm setup, is that what you're running?

It does also work with docker-compose and I've tested the change I just committed 鈽濓笍 by using this compose file.
NOTE: I built the image locally and the feature is not yet a part of the official :dev tag image.

version: '3.8'
services:
  transmission-openvpn:
    image: haugene/transmission-openvpn:dev
    environment:
        - OPENVPN_PROVIDER=PIA
        - OPENVPN_CONFIG=Israel
        - LOCAL_NETWORK=192.168.0.0/16
    cap_add:
        - NET_ADMIN
    ports:
        - '9091:9091'
    secrets:
        - transmission-user-pass

secrets:
    transmission-user-pass:
        file: ./user-pass.txt

Would this be a good solution? I want your comments here. Because the user-pass.txt file that I'm referring to here is an unencrypted file. And to me there is no difference in this and just mounting the username and password file to /config/openvpn-credentials.txt which has been supported for a long time. Now you might not have known that, and that's OK. Just want to hear your thoughts. The added benefit of this approach is of course that we actually will support secrets in swarm mode.
The contents of the file is just two lines:

password

which is how OpenVPN reads credentials from a file.

As you can see in my commit I'm just copying the secret into the OpenVPN credentials file. The reason for this is that we've modified all the .ovpn files of the providers to point to this file. So changing the location and reading directly from secrets would be a larger change. Another question is if it matters, it will be mounted unencrypted into the container anyways.

There is also a new feature on the dev branch that lets you supply a URL directly to the .ovpn file and then the container will download it and modify it as needed. That script could directly reference the secret and we wouldn't have to copy it. But for the built in providers we would have to make another script to fix it.

haugene picture haugene on 27 Aug 2020

Ah, that works! Thank you very much!

I indeed was _not_ aware this was already possible. I'm running it in docker-compose and like to share my docker-compose file. I used to have to strip out my auth before sharing but now I don't! Much appreciated

Carbohydron picture Carbohydron on 28 Aug 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 27 Oct 2020

bump

ilike2burnthing picture ilike2burnthing on 27 Oct 2020

Aha. This went stale again. You want the commit :point_up: merged @ilike2burnthing ?

haugene picture haugene on 4 Nov 2020

Not something I'd personally use. Sorry, should have explained my bump - I knew you were away at the time and didn't want the post to be lost to the stale bot if you hadn't seen CH's response.

ilike2burnthing picture ilike2burnthing on 4 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jorgelsaba picture jorgelsaba  路  3Comments
lorgio picture lorgio  路  4Comments
niXta1 picture niXta1  路  3Comments
holger8080 picture holger8080  路  4Comments
garret picture garret  路  3Comments