I have a working docker ‘latest-ce-non-root’ installation working but I am confused as to the recommended practice of using docker environment variables, specifically for SMTP and DUO.
Up until getting DUO mfa working I have been using docker environments exclusively but noted the healthcheck report advising not to (for SMTP).
I then move to implementing DUO following the instructions passing the salt, key, secret and host credentials again via variables and this doesn’t work. I can see the variables are inside the container but the app shows DUO as disabled and when I enable it via the GUI I have the add in the same credentials. From here DUO works as expected so my take away is that either DUO via variables is broken/the setup guide is incomplete/PBKC.
Add the healthcheck report ref SMTP to the above DUO experience and I arrived at my query.
When using Docker the recommendation (and expectation) is to use environment variables. The healthcheck’s reference to smtp is a more recent change which is meant to alert that the settings for smtp are being handled by the db versus environment variables. As they are in the db, they are more secure. But the alert may be causing unnecessary concern.
You are saying that using Docker environment variables for this does not work, correct?
I do think the healthcheck language is a little misleading but thank you for confirming I can ignore it.
And yes setting DUO up via docker environment variables isn’t working, but manually checking shows they are inside the container with correct values. Checking the logged in users profile page it reports MFA as not possible as its not configured on the server. Moving into the administration section DUO is showing as disabled, enabling it reveals the configuration input text fields which all have the default values shown and not what I passed into the container via docker. If it then put in the configuration and save it I can proceed to setup DUO for mfa against the logged in user which works.
I think this is how it is intended to work. Environment variables provide the credentials to passbolt. Admin has to enable it for passbolt app. User has to enable it for use.
However, the ability to configure things internally instead of using environment variables - this is somewhat new. I would need someone else to confirm whether the environment variables are still expected to work .
The help site does still say that any credentials in the admin configuration will override environment variables if there are multiple providers in the admin configuration - do you have only DUO or another method as well?
I think this is how it is intended to work. Environment variables provide the credentials to passbolt. Admin has to enable it for passbolt app. User has to enable it for use.
My expectation from the guide was the same except for the admin enabling it, given there is no ev I can find to toggle the option I expected it to default to enabled with the precenses of the other ev configuration values.
The help site does still say that any credentials in the admin configuration will override environment variables if there are multiple providers in the admin configuration - do you have only DUO or another method as well?
Only DUO configured for mfa, I tend to configure and test descrete items of functionality in series so as not to get myselft lost in issues and debug line output.
Found the issue, there is an undocumented environment variable needed to enable DUO called ‘PASSBOLT_PLUGINS_MFA_PROVIDERS_DUO’ which needs setting to true. When passed to the container the GUI admin section then shows DUO as enabled and the other DUO variables passed in are shown/obfuscated as expected.