Support docker secrets.

[luissalgadofreire]

Please provide support for docker secrets as in Build support for Docker Secrets into your images
.

Brief description from the relevant docker page below:

If you develop a container that can be deployed as a service and requires sensitive data, such as a credential, as an environment variable, consider adapting your image to take advantage of Docker secrets. One way to do this is to ensure that each parameter you pass to the image when creating the container can also be read from a file.

Many of the official images in the Docker library, such as the wordpress image used in the above examples, have been updated in this way.

When you start a WordPress container, you provide it with the parameters it needs by setting them as environment variables. The WordPress image has been updated so that the environment variables which contain important data for WordPress, such as WORDPRESS_DB_PASSWORD, also have variants which can read their values from a file (WORDPRESS_DB_PASSWORD_FILE). This strategy ensures that backward compatibility is preserved, while allowing your container to read the information from a Docker-managed secret instead of being passed directly.

[vovimayhem]

By gazing through the entrypoint, it looks like we only need to deal with RABBITMQ_DEFAULT_PASS env var - SSL certs are just paths to files, so docker secrets can be used here without changes.

Give me some minutes :)

[luissalgadofreire]

Great news!

Would it be too much to suggest including RABBITMQ_DEFAULT_USER_FILE as well, as providing support for the full credential pair? The image for Postgres, for instance, does that, among others I have been using.

Thanks for the reply.

[vovimayhem]

I was avoiding that for no good reason - I thought the username was not sensitive enough to make it to the docker secret vault.

But it's fair enough to include that one on the list.

[matthias-kloeckner]

really looking forward for this change. this will solve several problems for us. is anything blocking the PR?

[luissalgadofreire]

Thanks for the changes. I appreciate it.

[tianon]

Closing given that #143 merged. 👍

[gkirill]

I wonder if there is an example somewhere on how this could be done. You know, "show me the code". Thanks a lot (if not, I'll figure out and post here)!

[vovimayhem]

@gkirill Since by "secrets" we're referring to a deployment to a Docker Swarm cluster, here it is a deployment docker compose file example I use on an actual project:

version: '3.1'

volumes:
  # TODO: AS the Docker team helps regarding the file ownership on files created inside a
  # cloudstor:azure volume... only the we can use the cloudstor:azure driver...
  data:

networks:
  network: # This will actually create the 'app_mq_network' in the swarm cluster

secrets:
  app_rabbitmq_pass:
    external: true

services:
  rabbitmq:
    image: rabbitmq:3.6-alpine
    volumes:
      - data:/var/lib/rabbitmq
    ports:
      - 5672:5672
    networks:
      - network
    environment:
      RABBITMQ_DEFAULT_USER: app
      RABBITMQ_DEFAULT_PASS_FILE: /run/secrets/app_rabbitmq_pass
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.labels.queue-host == true
    secrets:
      - app_rabbitmq_pass

This stack is deployed like this:

# Create the password for production environment:
echo "$(pwgen -n 16 1)" | docker secret create app_rabbitmq_pass -

# Deploy the AMQP service on the production environment:
docker stack deploy --compose-file stack.yml app_mq

[birnbuazn]

WARNING: As of RabbitMQ 3.9, all of the docker-specific variables listed below are deprecated and no longer used.

Unavailable in 3.9 and up

RABBITMQ_DEFAULT_PASS_FILE
RABBITMQ_DEFAULT_USER_FILE

Unfortunately, the current RabbitMQ docker image apparently doesn't support seeding the default user/password from a docker secret anymore. There seems to be an awkward workaround using the deprecated Erlang config file format, but why? :(

Could you please re-add that feature?

[lukebakken]

@birnbuazn that feature will not be re-added. Here is an example of a custom entrypoint that will add a user after RabbitMQ starts that could be modified to read from a secrets file:

https://github.com/lukebakken/stackoverflow-72318314-1466825/blob/main/Dockerfile
https://github.com/lukebakken/stackoverflow-72318314-1466825/blob/main/custom-docker-entrypoint.sh

[birnbuazn]

@birnbuazn that feature will not be re-added. Here is an example of a custom entrypoint that will add a user after RabbitMQ starts that could be modified to read from a secrets file:

So you are telling me we have to build our custom image just to pass in Docker secrets? Something I wanted to avoid....

[lukebakken]

Yes that's what I'm saying. I'm sure there was a discussion preceding the removal of those env vars, if you're wondering why.

[birnbuazn]

Right. I'm sure there was a discussion, but I couldn't find any traces of it neither on the mailing list nor here on Github. 🤷

Still beyond me, why such a feature - which is certainly useful for anyone using Docker Swarm - is just being killed.