Is it possible to get host's environment variable in Docker container?

Question

My app uses some secrets, like password to database. I don't want to publish it inside any Docker file or any other app's file.

Is it possible to set environment variable on host machine, then run on this host Docker container with my app and use the host's environment variable inside of Docker image?

I would like to be able to get in my Docker container something like:

$ echo $DB_PASSWORD

But the DB_PASSWORD would be set on host machine.

Are the environment variables shared between host machine and its containers?

Answer 1

You can pass all the host envs with a little shell trickery

docker run $(printenv | cut -f1 -d= | sed 's/^/--env /g' | tr '\n' ' ') fancy-image

Answer 2

You can share the host enviorenment variable using the below command line statement

docker run --name mycontainer -e your_host_variable image-name

or you can use a file to get all the environement variable from in there

Please refer to this for more details, Its a nice blog.

Answer 3

The environment variables are not automatically shared between docker containers and the host os.

You can set environment variables with the run command's --env flag, though:

$ docker run --env DB_PASSWORD="ohsosecret" someuser/someimage

To use your host os environment variables do not provide a value for the container variable, the hosts value for that variable will be used automatically.

$ docker run --env DB_PASSWORD someuser/someimage

official documentation

Answer 4

Here I post my solution how I work with secrets.

1. I develop on my local machine and I set secrets for developing as a global environments.
2. I deploy applications to test/staging/production environments via protected Jenkins server. Jenkins runs script which sets environment variables for each test/staging/production.
3. For each environment, I have specific docker-compose-xxx.yml, for example: docker-compose-development.yml, docker-compose-jenkins.yml, docker-compose-production.yml, etc.
4. In docker-compose-xxx.yml files, I use local environment variables, for example:

# docker-compose-development.yml

version: '2'
services:
  app:
    image: app_development
    build:
      context: ./app
      dockerfile: Dockerfile.development
    links:
      - db
    environment:
      DB_USER: ${DB_DEVELOP_USER}
      DB_PASS: ${DB_DEVELOP_PASS}
  db:
    image: mysql:latest
    ports:
      - "3306:3306"
    environment:
      MYSQL_ROOT_PASSWORD: ${DB_DEVELOP_USER}
      MYSQL_USER: root
      MYSQL_PASSWORD: ${DB_DEVELOP_PASS}
      MYSQL_DATABASE: app_development

# docker-compose-test.yml

version: '2'
services:
  app:
    image: app_development
    build:
      context: ./app
      dockerfile: Dockerfile.test
    links:
      - db
    environment:
      DB_USER: ${DB_TEST_USER}
      DB_PASS: ${DB_TEST_PASS}
  db:
    image: mysql:latest
    ports:
      - "3306:3306"
    environment:
      MYSQL_ROOT_PASSWORD: ${DB_TEST_USER}
      MYSQL_USER: root
      MYSQL_PASSWORD: ${DB_TEST_PASS}
      MYSQL_DATABASE: app_test

5. I use this approach to build Ruby on Rails application. This framework uses config/database.yml where some confidential data (like database password) are set. Presented approach allows to use the environment variables exported in docker-compose-xxx.yml files:

    default: &default
      adapter: mysql2
      encoding: utf8
      pool: 5
      socket: /var/run/mysqld/mysqld.sock

    development:
      adapter: mysql2
      encoding: utf8
      pool: 5
      socket: /var/run/mysqld/mysqld.sock
      database: app_development
      host: 'db'
      port: 3306
      username: 
      password: 

    test:
      adapter: mysql2
      encoding: utf8
      pool: 5
      socket: /var/run/mysqld/mysqld.sock
      database: app_test
      host: 'db'
      port: 3306
      username: 
      password: