Container: Passwort file as source of the mongodb passwort

[Andy-Voigt]

Hello,

it would be relay helpful if the docker container can read a password file as source of the mongodb password.

[denisok]

Hi @Andy-Voigt,
thanks for the idea. Could you please help me to understand what format that password file should be ? keyfile? some specific format? Or just what evere?
Thanks,
Denys

[Andy-Voigt]

Hello @denisok,

Docker mounts secrets (passwords) under /tmp/SECRET_NAME as plain text file. This is done to keep the envoriment variables free from passwords. If we cannot use this mechanism we have to write the mongodb password to our compose file.

Is there a other way to keep the docker compose file free of passwords?

[johi12]

@Andy-Voigt One way you can solve this is to do it as it's done in the Grafana docker image, they have a shell script as an entrypoint and that script contains this, https://github.com/grafana/grafana/blob/f5641c0293e5c2218b1e2506e433df51390ff63f/packaging/docker/run.sh#L49-L63

Then you can pass the path to the secret as an environment variable.

[Andy-Voigt]

Thanks for your replay. Thats pretty close to what we have done today. We "fork" the original Docker image and copy the mongodb_exporter to an ubuntu image. With that we create a bash script that fetch a config file from our spring config server and grep out the URL, password and username for mongodb. Now we can run that "sidecar" as normal service in our swarm.

But it would be much simpler if we can use a docker secrete.

[denisok]

OK, now I got it.
https://docs.docker.com/engine/swarm/secrets/
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/

make sense now to add both env and read from file options to mongodb_exporter so it could pick up secrets and maybe also config from file or from the env vars.

[23pointsNorth]

I want to add a bit more clarification around this issue as I find it a useful method to support the authentication process. For mongo, one can start it like

# inside docker_compose.yml
version: '3.8'

services:
  mongo:
    image: mongo:latest
    restart: always
    ports:
      - 27017:27017
    environment:
      MONGO_INITDB_DATABASE: admin
      MONGO_INITDB_ROOT_USERNAME_FILE: /run/secrets/mongodb_root_username # secrets are stored in /run/secrets/ by default
      MONGO_INITDB_ROOT_PASSWORD_FILE: /run/secrets/mongodb_root_password
    secrets:
      - mongodb_root_username
      - mongodb_root_password

# here define the secrets either with environmental variables or files
secrets:
  mongodb_root_username:
    file: secrets/mongodb_root_username
  mongodb_root_password:
    file: secrets/mongodb_root_password

It would be similarly useful to allow to pass to the container environmental vars: MONGODB_USER, MONGODB_USER_FILE, MONGODB_PASS, MONGODB_PASS_FILE in order to allow similar connection strategies to the standard MongoDB container.

[denisok]

user and pass are in #560 . FILEs are still missed

[gthieleb]

Are there any news on that? Would it be possible to address multiple db instances with using a single secret?