• Hey Guest, don't forget to VOTE on each RFC topic. Your voting determine Chevereto development! No votes, no development.
  • Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • This community is user driven. Be polite with other users.
    • Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Allow the user to use docker secrets to inform chevereto of the db userpass, in addition to existing envvar option.

Wolfspyre

Wolfspyre

Chevereto Member
Pro
Describe your feature request

Provide a mechanism to configure the database userpassword from a docker secret

Currently, the prescribed mechanism to convey the database user credentials to containerized chevereto is via a docker envvar.

While this works well enough, as MySQL supports the pattern of:
Code: 
export MYSQL_ROOT_PASSWORD=hunter2
export MYSQL_PASSWORD=I.HEART.PANDAS

MySQL ALSO supports the pattern of:

Code: 
 echo 'hunter2' > /etc/s3kr3t/mysql_root_password_totally_secure_n_stuff_k
 echo 'I.HEART.PANDAS' > /etc/s3kr3t/mysql_user_password_dont_look_here_plz
export "MYSQL_ROOT_PASSWORD_FILE=/etc/s3kr3t/mysql_root_password_totally_secure_n_stuff_k"
export "MYSQL_PASSWORD_FILE=/etc/s3kr3t/mysql_user_password_dont_look_here_plz"

now, clearly, not much can be said about the kwality of these passwords except perhaps for their comedic value, but there is a legitimate security improvement in not exposing the cred via envvars.

Not only does this allow one to avoid potentially littering a running environment with creds in shell memory, it also allows the credential plumbing mechanics to be declared in the composefile without the credentials.

essentially, I'm requesting the ability to use EITHER the envvar CHEVERETO_DB_PASS OR, if set, prefer to consume the db pass from CHEVERETO_DB_PASS_FILE ... or some other mechanism which is compatible with docker secrets.

(you could, for example, check to see if the default filepath /run/secrets/whatever_secret_file_name_is_the_most_intuitive exists, and contains a db cred

it's not quite clear to me how the credential ultimately gets populated into app/src/Config/DatabaseConfig.php, so I'm a smidge reticent to just overwrite that file with a pre-populated one, not to mention the fact that this wouldn't REALLY be all THAT much better, from an administrative perspective


Where did you see this?

Docker compose docs on secrets

Community interest
 
Last edited:
Upvote 2 Downvote
Wolfspyre said:
it's not quite clear to me how the credential ultimately gets populated
Click to expand...
github.com

chevereto/app/src/Legacy/functions.php at ed56a10e50b9bd92f967be5912b6015b3f9df1a7 · chevereto/chevereto

Mature and trusted self-hosted image and video hosting solution since 2007. Create your own Flickr/Imgur-style media sharing platform with full control over your content and rules. - chevereto/chev...
github.com github.com

Chevereto merges ENV (system) > env.php (user land file) > env-default.php (app defaults). It builds a new env variable sourcing all env sources.

On database connection it does this: https://github.com/chevereto/chever...912b6015b3f9df1a7/app/src/Legacy/G/DB.php#L56

As you may notice, it may need an extra step to read the password on a file and assign it to something the PDO connect command can understand.
 
You must log in or register to reply here.
Back
Top