Support docker secrets

[DennisGaida]

Having secrets (i.e. passwords) in environment variables isn't best practice anymore. Docker secrets are not only supported in swarm mode, but also in docker-compose: https://docs.docker.com/engine/swarm/secrets/

Secrets are a way better strategy go manage sensitive environment variables such as OWNCLOUD_DB_PASSWORD. Other containers leverage the quasi standard of adding _FILE environment variables to hold the secret files (e.g. OWNCLOUD_DB_PASSWORD_FILE).

I would love native support for docker secrets (instead of using a custom entrypoint script, that converts my secrets).

[xoxys]

Thanks for your report. I'm not sure what you mean by a native support. AFAIK, docker secrets will be mounted as files to /run/secrets/<secret_name> within the container. As the docker image has to work on other platforms like Kubernetes and OpenShift as well, we would need a way that works in all cases. Ideas like scripts to substitute placeholder values with the content from the secret files looks more like a hack to me.

The only way I could think of is the way you described already, providing _FILE that can be set to /run/secrets/<secret_name> or whatever bind-mounted secret file managed by any other external vault solution.

Happy to discuss other ideas how this could look like.

[DennisGaida]

Just to clarify, with "native support" I mean I would love for this to be done in OwnCloud. Right now I am using a custom entrypoint script to just convert <name>_FILE to the actual environment variable. And I agree with you that this feels hacky - hence this issue and a call for "native" support.

[xoxys]

Got it, thanks. Sounds reasonable 👍

[ccaccb]

This is actually an important security-relevant enhancement. It would have prevented https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/