Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix shell escaping of redis/memcached password variables #238

Open
timabbott opened this issue Jan 26, 2020 · 3 comments
Open

Fix shell escaping of redis/memcached password variables #238

timabbott opened this issue Jan 26, 2020 · 3 comments

Comments

@timabbott
Copy link
Member

timabbott commented Jan 26, 2020
edited
Loading

A user reported seeing this output when running docker-compose operations for the Zulip container:

~/docker-zulip$ sudo docker-compose pull
[sudo] Passwort für ilyas:
WARNING: The GVqF variable is not set. Defaulting to a blank string.
Pulling database  ... done
Pulling memcached ... done
Pulling rabbitmq  ... done
Pulling redis     ... done

(Note that the zulip container isn't being run at all).

Investigating determined the problem was that their REDIS_PASSWORD field had some special characters in it (in this case, $), which resulted in Docker trying to handle it as a variable.

REDIS_PASSWORD: 'E!r%ZwH3#2P$GVqF'

See https://pastebin.com/P0jRFVnj for an example configuration with this problem.

I'm not sure what the right fix for this; at the very least we should document that passwords/secrets used in this file should use a specific character set; I'm not sure there's any escaping we can do to address this, since I think it's being considered a Docker variable. May be worth researching what the prior art for other projects is for this issue. One possible solution is to write a tool to generate and fill in the password/secrets fields rather than having folks do that manually.
@andersk
Copy link
Member

andersk commented Jan 31, 2020

$VARIABLE substitution is part of the docker-compose.yml syntax, which also provides a syntax for escaping $:

You can use a $$ (double-dollar sign) when your configuration needs a literal dollar sign. This also prevents Compose from interpolating a value, so a $$ allows you to refer to environment variables that you don’t want processed by Compose.

web:
  build: .
  command: "$$VAR_NOT_INTERPOLATED_BY_COMPOSE"

If you forget and use a single dollar sign ($), Compose interprets the value as an environment variable and warns you:

The VAR_NOT_INTERPOLATED_BY_COMPOSE is not set. Substituting an empty string.

@timabbott
Copy link
Member Author

Yeah. I think we should address this by updating our docs to mention not using $ in passwords; or maybe better, we should write a little tool that substitutes in randomly generated passwords following that rule.

@i-ky
Copy link
Contributor

i-ky commented Sep 30, 2022

Users can be advised to use docker compose config to verify that Docker Compose interprets their Compose file as intended.

@timabbott timabbott mentioned this issue Sep 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andersk @timabbott @i-ky