As a Docker Swarm administrator, I want to configure Passbolt with path to db password file to use Docker's built-in secrets store

Q1. What is the problem that you are trying to solve?
Briefly: I’d like to be able to configure Passbolt in Docker using an environment variable named DATASOURCES_DEFAULT_PASSWORD_FILE, which will contain the path to a file that contains the database password. The reason is that I’m deploying Passbolt in Docker Swarm, and Docker’s built-in “secrets” feature stores sensitive values in files, explicitly avoiding environment variables for security reasons.

This is an old feature request (2018), neatly summarized here: chown fails with Docker Secrets, can't start container · Issue #89 · passbolt/passbolt_docker · GitHub

It might be interesting to add, as an example, some env variables with the suffix “_FILE” for the cases where the data is sensitive and thus will be loaded as a secret. I can think now about use cases of this for database credentials and email credentials. Providing for instance a DATASOURCES_DEFAULT_PASSWORD_FILE that contains the path of the secret would solve the use cases of the major container services (swarm, k8s…)

and in the comment that follows:

Yes, actually, now that you mention it I think that’d be the best option. That’d be consistent with what some of the official images do (e.g. MySQL).

Q2 - Who is impacted?
In particular, anyone deploying Passbolt in Docker Swarm or Kubernetes. (perhaps others)

Q3 - Why is it important and/or urgent?
Docker Swarm and Kubernetes are extremely common/popular deployment settings for Docker containers.

Q4 - What is your proposed solution? (optional)
See above.

Q5. Community support
People can vote for this idea to show traction:
(Poll removed because Discourse says I’m not allowed to create polls)

Meta:

  1. It’s not ideal that I can only include two links as a new user. I tried to provide more links to make it easy to find related context, but I couldn’t.
  2. The new topic template here includes a poll, but new users can’t create polls This is strange.

It seems that I was a bit off-base with repeating the reference to Kubernetes… the documentation indicates that secret values can be put into env vars: Secrets | Kubernetes

I’ve edited the topic title to refer only to Docker Swarm.

Hi @brettdh :wave: and welcome to passbolt community forum :people_holding_hands:

I guess the environment variables for our docker image are not needed if you create a docker secret file based on the passbolt.default.php file and mount this secret in your container in /etc/passbolt/passbolt.php.

I will try and let you know.

Best,

Hi again,

So I just gave a try and here is my docker-compose.yaml file, without any environment variables:

version: '3.7'
services:
  db:
    image: mariadb:10.7
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:3.5.0-ce
    restart: unless-stopped
    tty: true
    depends_on:
      - db
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - ./cert.pem:/etc/ssl/certs/certificate.crt:ro
      - ./key.pem:/etc/ssl/certs/certificate.key:ro
      - ./passbolt.php:/etc/passbolt/passbolt.php:ro
    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
    ports:
      - 80:80
      - 443:443

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

The interesting part is the passbolt.php file mounted as a volume:

    volumes:
      (...)
      - ./passbolt.php:/etc/passbolt/passbolt.php:ro

Instead of a source file, you will have to define secret, as explained here: Compose file version 3 reference | Docker Documentation

As a reference here is my sample passbolt.php file:

<?php
/**
 * Passbolt ~ Open source password manager for teams
 * Copyright (c) Passbolt SA (https://www.passbolt.com)
 *
 * Licensed under GNU Affero General Public License version 3 of the or any later version.
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 *
 * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
 * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
 * @link          https://www.passbolt.com Passbolt(tm)
 * @since         2.0.0
 */
return [

    'App' => [
        'fullBaseUrl' => 'https://passbolt.docker.jc',
    ],

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'db',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'P4ssb0lt',
            'database' => 'passbolt',
        ],
    ],

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'localhost',
            'port' => 25,
            'username' => 'user',
            'password' => 'secret',
            // Is this a secure connection? true if yes, null if no.
            'tls' => null,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            'from' => ['passbolt@your_organization.com' => 'Passbolt'],
        ],
    ],
    'passbolt' => [
        'gpg' => [
            'serverKey' => [
                'fingerprint' => '7C9D88E63A85D1B677976C2609DB72B1BF932FA0',
            ],
        ],
    ],
];

Before starting the stack the first time, you don’t know what is the passbolt server fingerprint. You have to start the stack, and once it is up and running, jump in the passbolt container to retrieve the passbolt gpg server key fingerprint:

root@4e072ed88e0e:/usr/share/php/passbolt# gpg --show-keys /etc/passbolt/gpg/serverkey.asc
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
pub   rsa2048 2022-04-08 [SC]
      7C9D88E63A85D1B677976C2609DB72B1BF932FA0
uid                      Passbolt default user <passbolt@yourdomain.com>
sub   rsa2048 2022-04-08 [E]

Mine was 7C9D88E63A85D1B677976C2609DB72B1BF932FA0, so I edited the passbolt.php file to put the correct fingerprint.

Then I created the first admin user, as described in the doc:

docker-compose -f docker-compose-ce.yml exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
                                passbolt register_user \
                                -u john@doe.com \
                                -f yourname \
                                -l surname \
                                -r admin" -s /bin/sh www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
User saved successfully.
To start registration follow the link provided in your mailbox or here:
https://passbolt.docker.jc/setup/install/e1fc4233-237f-4808-a8df-d240f2fac689/aac97232-bd56-45a4-8edf-2314f3e1f047

Best,

@_jc thanks for looking into this. Storing the config file as a secret is an interesting idea; however, it has some significant drawbacks. Secrets are immutable, so it becomes very hard to then update non-sensitive configuration items in the file. I’m also concerned about repeatability - i.e. if i need to tear down the server and redeploy it elsewhere, or if I need to rotate the password, the process for generating the config file seems onerous.

For a workaround, I think overriding the entrypoint with a script that sets DATASOURCES_DEFAULT_PASSWORD (something like this) will be a simpler approach. Of course, having DATASOURCES_DEFAULT_PASSWORD_FILE would still be the ideal for use with docker secrets.

Yes, my proposal was just a work-around. :slight_smile: I will submit your suggestion to our SRE team.

Best,