Skip to content

Docker secrets not loading #479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nblazincic opened this issue Apr 9, 2021 · 5 comments
Closed

Docker secrets not loading #479

nblazincic opened this issue Apr 9, 2021 · 5 comments

Comments

@nblazincic
Copy link

Docker image 3.8.14-management-alpine not loading default user/password via RABBITMQ_DEFAULT_USER_FILE or PASS variable pointing to docker secrets (ie, /run/secrets/rmq_username)

rolling back to 3.8.5 image works.
@nblazincic
Copy link
Author

nblazincic commented Apr 9, 2021
edited
Loading

Just to update, after upgrading to 3.8.14 no issues. I guess this is problem only with initial user creation.
Some environment specifics (didn't have time to write this down before).
Docker version 20.10.5, build 55c4c88
docker-compose version 1.29.0, build 07737305

Docker-compose file example:

version: '3.8'
x-common-variables:
  &common-variables
   RABBITMQ_DEFAULT_USER_FILE: "/run/secrets/rmq_username"
   RABBITMQ_DEFAULT_PASS_FILE: "/run/secrets/rmq_password"
services:
  rmqnode01:
    image: imagename
    user: "999:999"
    hostname: rmqnode01
    deploy:
      restart_policy:
        condition: on-failure
        delay: 10s
    environment:
      *common-variables
    secrets:
      - rmq_username
      - rmq_password
      - source: rmq_cookie
        target: /var/lib/rabbitmq/.erlang.cookie
        uid: "999"
        gid: "999"
        mode: 0600
    volumes:
      - /data/rmq/data:/var/lib/rabbitmq
secrets:
  rmq_username:
    external: true
  rmq_password:
    external: true
  rmq_cookie:
    external: true
networks:
  default:
    name: some-network
    external: true

Also posted on rabbitmq/rabbitmq-server#2963

@michaelklishin
Copy link
Collaborator

I doubt any time will be spent on this given that heavy env variable use in this image is going away: #440, #424.

@nblazincic
Copy link
Author

So if the plan is to configure initial users via config files, that would mean (in docker swarm and my example here) to create a docker secret containing the complete config file itself, with initial password in it.

@michaelklishin
Copy link
Collaborator

Instead of using environment variables (that end up rabbitmq.conf), you have three options:

  • Use rabbitmq.conf of your own, and specify default_user and default_password in it
  • Use advanced.config and value encryption
  • Import a pre-created definition file on boot (which contains a password + salt hash)

You can store the entire rabbitmq.conf contents in a secret but that does not seem to be necessary: you don't have to rely on plain text values with the above options. I don't see why it would not work with a custom image based on this one, though.

@nblazincic
Copy link
Author

Tnx for your input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelklishin @nblazincic