Passwords in Dockerfile

Question

How to avoid redundancy in Dockerfile for the value P@55w0rd?

FROM microsoft/mssql-server-linux:2017-latest as sqlbase 
WORKDIR /usr/src/app 
COPY ./sql-scripts /usr/src/app 
ENV MSSQL_SA_PASSWORD=P@55w0rd 
ENV ACCEPT_EULA=Y 
RUN /opt/mssql/bin/sqlservr --accept-eula & sleep 10 \
    && /opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P 'P@55w0rd' -i ./init.sql \
    && pkill sqlservr

Answer 1

In general, I would not put any password directly at the Dockerfile, for two reasons:

• Get your Dockerfile obsolete, forcing you to build a new image every time your password changes.
• Passwords or any other sensitive information should be handled in a safer way (it will depend on your use case).

In this particular case (which seems a non production case). Using ENV and ARG together would be the best approach:

ARG MSQL_SERVER_VERSION=2017-latest
FROM microsoft/mssql-server-linux:$MSQL_SERVER_VERSION as sqlbase

WORKDIR /usr/src/app
COPY ./sql-scripts /usr/src/app

ARG MSSQL_SA_PASSWORD=P@55w0rd
ENV MSSQL_SA_PASSWORD $MSSQL_SA_PASSWORD

ENV ACCEPT_EULA=Y
RUN /opt/mssql/bin/sqlservr --accept-eula & sleep 10 \
    && /opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P $MSSQL_SA_PASSWORD -i ./init.sql \
    && pkill sqlservr

Having MSSQL_SA_PASSWORD as an ARG and assigning its value to the MSSQL_SA_PASSWORD environment variable makes your Dockerfile more flexible. This also let you use it at the RUN command to avoid redundancy.

You can learn more about how ENV, ARG (and its scope) work in Dockerfile reference.

Answer 2

You can make use of ENV or ARG inside the Dockerfile:

For ex you can use ARG as shown below in the Dockerfile:

FROM busybox    
ARG user
USER $user

when you use ARG you have to pass the value when you build the docker image as :

docker build --build-arg user=what_user 

You can also use ENV as shown below in the Dockerfile:

FROM ubuntu
ENV CONT_IMG_VER hello
RUN echo $CONT_IMG_VER

You can refer to this for more info.