Gitea: [Feature] Read database password from Docker secret file

Created on 17 Feb 2020 · 5Comments · Source: go-gitea/gitea

Hi there,

I plan to use Gitea in a production environment on a Docker Swarm cluster. I want to avoid having clear-text passwords in my docker-compose file.

An easy way to protect credentials with Docker Swarm is to use secrets. See https://docs.docker.com/engine/swarm/secrets/

Docker secrets are mounted as files in the container, so I can't use the environment variable DB_PASSWD.

A workaround used by images like MySQL or Postgres is to provide an environment variable storing the path of the secret, e.g. DB_PASSWD_FILE, then read that file. See section "Docker Secrets" on https://hub.docker.com/_/mysql for an example.

It would be nice to have the same for Gitea. This would only require an additional step during Gitea s6 setup, before setting default configuration variables.

if [ -n "$DB_PASSWD_FILE" ] && [ -r "$DB_PASSWD_FILE" ]; then
    DB_PASSWD=$(cat $DB_PASSWD_FILE)
fi

Here is a minimal docker-compose example where I used a custom image to add the above step.

version: '3.7'

services:
  git:
    image: custom-gitea
    environment:
      DB_TYPE: mysql
      DB_HOST: db:3306
      DB_NAME: gitea
      DB_USER: root
      DB_PASSWD_FILE: /run/secrets/db-password
      ROOT_URL: git:3000
      SSH_DOMAIN: git
      SSH_PORT: 22
    ports:
      - 3003:3000
    networks:
      - default
    secrets:
      - source: db-password
        target: /run/secrets/db-password
        mode: 0400

  db:
    image: mysql:5.7
    environment: 
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db-password
      MYSQL_DATABASE: gitea
    networks:
      - default
    secrets:
      - source: db-password
        target: /run/secrets/db-password
        mode: 0400

networks:
  default:
    driver: overlay

secrets:
  db-password:
    file: './db-password'

Steps :

# On a Docker Swarm cluster
echo 'mydatabasepassword' > db-password
docker stack deploy -c docker-compose.yml gitea-test

Gitea version (or commit ref): 1.10
Operating system: Docker
Database (use [x]):
- [x] PostgreSQL
- [x] MySQL
- [x] MSSQL

kinproposal

Source

camo-f

👍6

All 5 comments

Another way is to store password on envs.

lunny on 18 Feb 2020

Is there a way to have them hashed as environment variables ? I can't find anything about this in the documentation.
With Docker secrets, I avoid writing them in clear-text, which is a security concern.

camo-f on 18 Feb 2020

If you create separate network for db and add only db and Gitea to it noone else will be able to connect to it so this way password complexity does not matter anymore

lafriks on 22 Feb 2020

From the outside, Gitea being on an overlay network (which I'm already using) doesn't change a thing. It is easier to read an environment variable than a file. My point is also not to have sensitive values such as passwords in docker-compose.yml, especially if it is versioned.

camo-f on 24 Feb 2020

👀1 👍1

Considering that most major databases support password file handling through docker secrets, I would like to see this feature implemented as well.