flame: [BUG] Environment variable `PASSWORD_FILE` isn't considered

Deployment details:

App version [e.g. v1.7.4]: 2.2.0
Platform [e.g. amd64, arm64, arm/v7]: amd64
Docker image tag [e.g. latest, multiarch]: 2.2.0

Bug description:

Environment variable PASSWORD_FILE isn’t considered. Instead it looks like /run/secrets is scanned and contents are mapped to env variables.

Steps to reproduce:

Set PASSWORD_FILE env variable e.g. to /run/secrets/flame-password (contains “averysecretpassword”)
Bring the container up
Observe the logs and see that FLAME-PASSWORD instead of PASSWORD gets set
Try to login with “averysecretpassword”
Login fails

Expected behaviour would be that PASSWORD gets to set of contents of the file referenced in PASSWORD_FILE. No matter where PASSWORD_FILE points to.

About this issue

Original URL
State: open
Created 2 years ago
Comments: 16 (1 by maintainers)

Most upvoted comments

Oh okay. This is a little inconvienient. I have currently 14 secrets of which 8 are passwords. If I would have another docker needing it to be password as well, I would have a problem.

I am used to, that you can just name the file whatever you want. If that is not possible here, could the variable then at least be called “flame_password”?

KillerTic on Jan 8, 2022

@pawelmalak if you comment this line https://github.com/pawelmalak/flame/blob/3c347c854c4c55456785ff026a703422d8f02f62/.docker/Dockerfile#L28C1-L28C1

and both options will work as expected otherwise the Environment varialble PASSWORD already defined in your image has priority and the secret will never work. Except if you override the code like they have done above, but it’s easier to remove just that line.

MikaelFerland on Aug 17, 2023

I tried but look like it got rejected

I fixed the patch command above, with -l it will apply the patch even if the newline doesn’t match.

The issue appears because flame’s code has been written on a Windows system (CRLF) and never converted to UNIX style (LF), so depending on the system used to copy my file above the patch will work or not. The -l option tells patch to ignore whitespace (including newlines).

tillo on Mar 26, 2023

For those who stumble upon the same issue, I’ve written a quick and dirty patch for this.

Relevant sections of my flame service in docker-compose.yml:

        environment:
            - PASSWORD_SECRET=flame_password
        secrets:
            - flame_password
        volumes:
            - '/root/flame-patches:/mnt/patches'
        command: /bin/sh -c 'apk add --no-cache patch && patch -l -N -t -p2 -i /mnt/patches/password_secret.patch /app/utils/init/initDockerSecrets.js; chown -R node /app/data && node server.js'

And my /root/flame-patches/password_secret.patch:

--- utils-orig/init/initDockerSecrets.js
+++ utils/init/initDockerSecrets.js
@@ -9,6 +9,13 @@
     for (const property in secrets) {
       const upperProperty = property.toUpperCase();

+      if (property == process.env["PASSWORD_SECRET"]) {
+
+        process.env["PASSWORD"] = secrets[property];
+
+        logger.log(`PASSWORD was overwritten with ${property} docker secret value`);
+      }
+
       process.env[upperProperty] = secrets[property];

       logger.log(`${upperProperty} was overwritten with docker secret value`);

This lets you use any secret name, like flame_password in my example, to be provided through the PASSWORD_SECRET environment variable.

This patching technique will avoid having to maintain your own image, until the patch breaks and needs to be adapted to new code.

tillo on Mar 26, 2023

Oh okay. This is a little inconvienient. I have currently 14 secrets of which 8 are passwords. If I would have another docker needing it to be password as well, I would have a problem.

I am used to, that you can just name the file whatever you want. If that is not possible here, could the variable then at least be called “flame_password”?

I second this, greatly appreciated it if you could make the change

ahmaddxb on Feb 23, 2022