Question

I'm new to Docker and want to deploy a flask+gunicorn project. So far, I've got the following Dockerfile.

# Get official base image
FROM python:3.7-slim-buster

# Setting my working directory
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

# Setting my environment variables
ENV REDIS_HOST [...omit here...]
ENV REDIS_PORT [...omit here...]
ENV REDIS_DB_WHITELIST [...omit here...]
ENV MYSQL_HOST [...omit here...]
ENV MYSQL_PORT [...omit here...]
ENV MYSQL_DB_DUMMY [...omit here...]

# Copy project for later
COPY . /usr/src/app/

# Install dependencies
RUN pip install --upgrade pip
RUN pip install -r requirements.txt
RUN pip install gunicorn

EXPOSE 5000

RUN chmod +x ./entrypoint.sh
ENTRYPOINT ["sh", "entrypoint.sh"]

My docker-compose.yml has the following:

version: "3.9"

secrets:
  FLASK_SECRET_KEY:
    external: true
  MYSQL_USER:
    external: true
  MYSQL_PASSWORD:
    external: true

services:
  web:
    image: flask-app:v0.1.0
    environment:
      FLASK_SECRET_KEY_FILE: /run/secrets/FLASK_SECRET_KEY
      MYSQL_USER_FILE: /run/secrets/MYSQL_USER
      MYSQL_PASSWORD_FILE: /run/secrets/MYSQL_PASSWORD
    ports:
      - "5000:5000"
    secrets:
      - FLASK_SECRET_KEY
      - MYSQL_USER
      - MYSQL_PASSWORD

After doing some research, it appears that using the docker stack deploy —compose-file=docker-compose.yml flask-app command is the only way to get docker secrets. Obviously, I have three sensitive data to store in Docker secrets: FLASK SECRET KEY, MYSQL USER, and MYSQL PASSWORD. It turns out that the programme is failing to execute, and I'm guessing that mysql user = os.environ['MYSQL USER'] etc. in the python script is failing to access the environment variable.

I'm not sure how to get sensitive info from Docker secrets via Dockerfile or docker-compose.yml, and I'd appreciate it if someone could correct me if I'm incorrect.

Answer 1

Using python-dotenv, I was able to gain access to sensitive info from docker secret. Here's a snippet from my config.py module at the project level.

import os
from dotenv import load_dotenv

dotenv_path = os.path.join(os.path.dirname(__file__), '.env')
if os.path.exists(dotenv_path):
    load_dotenv(dotenv_path=dotenv_path)


def manage_sensitive(name):
    v1 = os.getenv(name)
    
    secret_fpath = f'/run/secrets/{name}'
    existence = os.path.exists(secret_fpath)
    
    if v1 is not None:
        return v1
    
    if existence:
        v2 = open(secret_fpath).read().rstrip('\n')
        return v2
    
    if all([v1 is None, not existence]):
        return KeyError(f'{name}')


class ConfigRabbitMQ:
    AMQP_USER = manage_sensitive(name='amqp_user')
    AMQP_PASSWORD = manage_sensitive(name='amqp_password')
    
    AMQP_HOST = manage_sensitive(name='amqp_host')
    AMQP_PORT = manage_sensitive(name='amqp_port')

So this config.py module has a.env file in the same directory as it. Because it is standard practise to list.env in a.dockerignore file, this module can access sensitive data from Docker secrets and.env files. As an example, docker-compose.yml looks like this.

version: "3.9"

services:
  web:
    ...
    secrets:
      - amqp_user
      - amqp_password
    ...

secrets:
  amqp_user:
    external: true
  amqp_password:
    external: true