-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support docker secrets #14
Comments
Thank you for the suggestion, I will take a look at this. |
LSIO does this for all their containers and its great |
@kaysond Can you help me find one that I can refer to? |
Oh and MariaDB's official image also does the same thing (though they use a suffix instead of prefix) |
LSIO's method requires s6-overlay. The code is here.
This method is less dynamic, but done purely with bash script. Unfortunately the variable expansion method used is not supported by sh and the immich containers don't have bash currently. # usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
mysql_error "Both $var and $fileVar are set (but are exclusive)"
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
} |
Also, definitely not an expert, but I think we can't use the MariaDB method verbatim anyway since they are under GPL2 license and this project is under MIT. Edit: And the LSIO is under GPL3 too. |
Actually I just found the identical code over in the postgres docker which is MIT license. So I believe it is fair to copy. |
Hi!
Would you please implement extra Docker environment variables called
*_FILE
or something in that fashion, and feed them/run/secrets/immich_*
, at least for the database password and the jwt secret?Doing otherwise can be unsafe. Ideally, the database name and username can also be read as secrets.
The docker-compose.yml would look like (only included the relevant parts)
I don't know Dart and TypeScript, but some possible code to read them in bash and store the contents in variables is:
Hopefully this helps
The text was updated successfully, but these errors were encountered: