Rabbitmq: Support docker secrets.

Created on 13 Feb 2017  路  8Comments  路  Source: docker-library/rabbitmq

Please provide support for docker secrets as in Build support for Docker Secrets into your images
.

Brief description from the relevant docker page below:

If you develop a container that can be deployed as a service and requires sensitive data, such as a credential, as an environment variable, consider adapting your image to take advantage of Docker secrets. One way to do this is to ensure that each parameter you pass to the image when creating the container can also be read from a file.

Many of the official images in the Docker library, such as the wordpress image used in the above examples, have been updated in this way.

When you start a WordPress container, you provide it with the parameters it needs by setting them as environment variables. The WordPress image has been updated so that the environment variables which contain important data for WordPress, such as WORDPRESS_DB_PASSWORD, also have variants which can read their values from a file (WORDPRESS_DB_PASSWORD_FILE). This strategy ensures that backward compatibility is preserved, while allowing your container to read the information from a Docker-managed secret instead of being passed directly.

Most helpful comment

@gkirill Since by "secrets" we're referring to a deployment to a Docker Swarm cluster, here it is a deployment docker compose file example I use on an actual project:

version: '3.1'

volumes:
  # TODO: AS the Docker team helps regarding the file ownership on files created inside a
  # cloudstor:azure volume... only the we can use the cloudstor:azure driver...
  data:

networks:
  network: # This will actually create the 'app_mq_network' in the swarm cluster

secrets:
  app_rabbitmq_pass:
    external: true

services:
  rabbitmq:
    image: rabbitmq:3.6-alpine
    volumes:
      - data:/var/lib/rabbitmq
    ports:
      - 5672:5672
    networks:
      - network
    environment:
      RABBITMQ_DEFAULT_USER: app
      RABBITMQ_DEFAULT_PASS_FILE: /run/secrets/app_rabbitmq_pass
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.queue-host == true
    secrets:
      - app_rabbitmq_pass

This stack is deployed like this:

# Create the password for production environment:
echo "$(pwgen -n 16 1)" | docker secret create app_rabbitmq_pass -

# Deploy the AMQP service on the production environment:
docker stack deploy --compose-file stack.yml app_mq

All 8 comments

By gazing through the entrypoint, it looks like we only need to deal with RABBITMQ_DEFAULT_PASS env var - SSL certs are just paths to files, so docker secrets can be used here without changes.

Give me some minutes :)

Great news!

Would it be too much to suggest including RABBITMQ_DEFAULT_USER_FILE as well, as providing support for the full credential pair? The image for Postgres, for instance, does that, among others I have been using.

Thanks for the reply.

I was avoiding that for no good reason - I thought the username was not sensitive enough to make it to the docker secret vault.

But it's fair enough to include that one on the list.

really looking forward for this change. this will solve several problems for us. is anything blocking the PR?

Thanks for the changes. I appreciate it.

Closing given that https://github.com/docker-library/rabbitmq/pull/143 merged. :+1:

I wonder if there is an example somewhere on how this could be done. You know, "show me the code". Thanks a lot (if not, I'll figure out and post here)!

@gkirill Since by "secrets" we're referring to a deployment to a Docker Swarm cluster, here it is a deployment docker compose file example I use on an actual project:

version: '3.1'

volumes:
  # TODO: AS the Docker team helps regarding the file ownership on files created inside a
  # cloudstor:azure volume... only the we can use the cloudstor:azure driver...
  data:

networks:
  network: # This will actually create the 'app_mq_network' in the swarm cluster

secrets:
  app_rabbitmq_pass:
    external: true

services:
  rabbitmq:
    image: rabbitmq:3.6-alpine
    volumes:
      - data:/var/lib/rabbitmq
    ports:
      - 5672:5672
    networks:
      - network
    environment:
      RABBITMQ_DEFAULT_USER: app
      RABBITMQ_DEFAULT_PASS_FILE: /run/secrets/app_rabbitmq_pass
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.queue-host == true
    secrets:
      - app_rabbitmq_pass

This stack is deployed like this:

# Create the password for production environment:
echo "$(pwgen -n 16 1)" | docker secret create app_rabbitmq_pass -

# Deploy the AMQP service on the production environment:
docker stack deploy --compose-file stack.yml app_mq
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mixxit picture mixxit  路  5Comments

zhousujian picture zhousujian  路  5Comments

ghost picture ghost  路  4Comments

aram535 picture aram535  路  4Comments

michaelklishin picture michaelklishin  路  4Comments