fbpx
Skip to content
Home » Blog » infosec » Authentication » Docker and Doppler

Docker and Doppler

Picture of shipping containers

Introduction

This article is built upon the article on secrets management. I am assuming you either have read it and followed along or you are very familiar with what Doppler is, what the benefits are and how it works. If those assumptions don’t hold true for you, you might want to read the article on secrets management before continuing.

To be explicit I make the following assumption about you, dear reader, as I write this article:

  • You have a Doppler account and are comfortable working with everything covered in the article on secrets management
  • You have Doppler CLI installed and logged into your Doppler account, as per the article on secrets management
  • You have docker installed, if not go to https://www.docker.com/products/docker-desktop/ and fix that
  • You are comfortable working in command prompt, aka terminal, of your chosen operating system
  • Comfortable downloading or cloning GitHub projects

My latest project has been to get more comfortable with Docker, how it works, how to set it up, etc. So I started going through the Docker 101 Getting started course that pops up automatically when you install Docker Desktop for Windows. If you are on a different operating system where the installation of docker doesn’t force this tutorial in your face, just run this command:

docker run -d -p 80:80 docker/getting-started

Some Linux distros might require this command to be run as root or sudo. When I do this on my Ubuntu VM, I have to run it as sudo. If you are new to Docker, as I am, I highly recommend you work through all the exercises in this free training. Once the command completes running you just open a browser to http://localhost/ to access the training.

When I was going through the module on Docker Compose it struck me that having all those secrets in the yml file was not the best way to go from a security perspective. As you recall from the article on secrets management, Doppler integrates with whole bunch of systems, so I figured this was a perfect way to learn how to fix this insecurity by integrating my Doppler account into my Docker project. Turns out it is actually very simple. There are actually a bunch of different approach provided in the Doppler documentation, some that look very intimidating, so at first it looked daunting but I found the simplest option and I’ll walk you through that here. All I had to do though was just tweak the compose yml file a little.

Walk through

To follow along with what I did, follow these steps:

  1. Clone my GitHub project at https://github.com/siggib007/app.git to your local machine.
  2. From that project directory import a new project into your doppler account:
    1. doppler import
  3. Tie your local project to the Doppler project you just imported
    1. doppler setup -p docker101 -c dev
  4. For optimal security you might want to set a new database root user password, but since this is just a plaything it isn’t that critical but a good practice either way. The password I have in there is pretty strong though, but it is public so no longer a secret.
    1. doppler secrets set MYSQL_ROOT_PASSWORD [NewSuperStrongAndLongPrivatePassword]
  5. Then simply start the project
    1. doppler run -- docker-compose up -d

As far as the changes I did. Here is what the yml file looks like in the course:

version: "3.8"

services:
  app:
    image: node:12-alpine
    command: sh -c "yarn install && yarn run dev"
    ports:
      - 3000:3000
    working_dir: /app
    volumes:
      - ./:/app
    environment:
      MYSQL_HOST: mysql
      MYSQL_USER: root
      MYSQL_PASSWORD: secret
      MYSQL_DB: todos

  mysql:
    image: mysql:5.7
    volumes:
      - todo-mysql-data:/var/lib/mysql
    environment: 
      MYSQL_ROOT_PASSWORD: secret
      MYSQL_DATABASE: todos

volumes:
  todo-mysql-data:

Here is what it looks like after my changes:

version: "3.8"

services:
  app:
    image: node:12-alpine
    command: sh -c "yarn install && yarn run dev"
    ports:
      - 3000:3000
    working_dir: /app
    volumes:
      - ./:/app
    environment:
      - MYSQL_HOST
      - MYSQL_USER
      - MYSQL_PASSWORD
      - MYSQL_DB
  mysql:
    image: mysql:5.7
    ports:
      - 33060:3306
    volumes:
      - todo-mysql-data:/var/lib/mysql
    environment: 
      - MYSQL_ROOT_PASSWORD
      - MYSQL_DATABASE

volumes:
  todo-mysql-data:

All I did was take the value out of the environment lines and then turn the lines into a proper yml list. So for example take “MYSQL_HOST: mysql” and turn it into “- MYSQL_HOST

Then all that was needed was call the composer with the doppler run command.

doppler run -- docker-compose up -d

As always feel free to reach out if there are any questions, comments, etc., and I’ll get back to you as soon as I can.

Tags: