The guys over at Docker introduced this feature such that sensitive data, such as database credentials, no not need to be stored in the environment, where they are more easily accessed by a hacker. To get an idea how it works you can reference the mySQL implementation of Docker Secrets.
At the end of the day, it’d be as simple as adding the environment variables for the paths to the values and then checking those paths as a failover. While I don’t think that you’d like to switch over completely in the short term, Docker Secrets will be the first class citizen for this type of data going forward.
Please let me know if you have questions about this proposal!
Hi Ryan. I’ve had a look at the MySQL code, and as far as I can see they’re taking the value passed in the secrets file, and then using it to set the original environment variables to those values?
I’m not averse to doing that too, but I don’t think it really makes any real difference from a security standpoint? Perhaps I’m mistaken.
My other concern is that in doing so, we don’t cause additional complexity. It seems as though you have to run in swarm mode to use them at all, so I’ll have no way currently to test any implementation. If you’re willing to assist with that, and it can be done in a fully backwards compatible way, then I’m happy to try.
It’s unlikely to be for the 1.8.3 release though as we’re too far through the cycle now.