
Docker Compose reads your “.env” without opt-out - otobrglez
https://github.com/docker/compose/issues/6741
======
rshnotsecure
Docker Hub still does not have any form of 2FA. Even SMS 2FA would be
something / great at this point.

As an attacker, I would put a great deal of focus on attacking company’s
registries on Docker Hub. They can’t have 2FA, so the work/reward ratio is
quite high.

~~~
icedchai
Why would any serious company not use a private registry?

~~~
adambyrtek
AWS Docker registry (ECR) is a good middle ground since you don't have to
maintain your own registry and you can take advantage of IAM to improve
security.

~~~
rumanator
Some CICD services such as GitLab already provide docker image registries per
project for free, and enable users to create any number of projects.

------
LethargicStud
This is the exact class of problem that docker itself attempts to avoid. This
is why I run docker-compose inside a docker container, so I can control
exactly what it has access to and isolate it. There's a guide to do so
here[1]. It has the added benefit of not making users install docker-compose
itself - the only project requirement remains docker.

1: [https://cloud.google.com/community/tutorials/docker-
compose-...](https://cloud.google.com/community/tutorials/docker-compose-on-
container-optimized-os)

~~~
djsumdog
> docker-compose inside a docker container

Do you use Docker-in-Docker or do you mount the docker socket inside your
docker-compose container?

Oh dear god .. it's Docker all the way down.

~~~
LethargicStud
Mount the docker socket. There's some quirks with storage volume paths. Also,
security implications. Was not super hard to get working though.

I'd love to go straight to containerd or even basic linux containers but I'm
not willing to run kubernetes on my personal machine and haven't found any
ergonomic enough ways to run containers.

~~~
seabrookmx
Check out [https://podman.io](https://podman.io)?

Like docker (uses CRI images) but daemonless.

~~~
yjftsjthsd-h
I thought it didn't even support compose like functionality? Or did they add
that now?

~~~
rumanator
Docker-compose is an add-on script that only automates how containers are
launched/shut down.

------
gravypod
You can run docker-compose.yml in any folder in the tree but it only reads the
.env from cwd. Just CD into some place and run docker-compose

~~~
ohiovr
This works. I discovered this by accident trying to figure out why my .env
files were not being read.

I was in a different dir to the docker-compose.yml file and launched docker-
compose with the -f filename option and could not get .env to load.

------
djsumdog
I was going to use Docker Compose for setting up a lot of my self hosted
stuff; since so many projects already had docker compose files in their git
repos and it would seem to be easy to leverage that. Early on I got super
frustrated with compose though (can't remember all the reasons why) and ended
up just writing my own custom provisioner:

[https://github.com/sumdog/bee2](https://github.com/sumdog/bee2)

It has unit tests, but not a lot of good errors messages and is pretty
specific to the stuff I host. I'm glad I did it though; great learning
experience around the Docker API and how the internals of the Docker Engine
work. I still use it to maintain all my self-hosted sites and tooling.

There are a lot of good libraries around the Docker API for Ruby, Python,
Java/Scala, etc. If you're on a green field project setting up your local
docker environments, and have the time, I'd almost suggest trying to build
your own tooling from scratch rather than leveraging docker-compose at this
point.

~~~
GordonS
I actually really like Docker Compose, and especially Swarm. Despite being a
relative Docker noob, I've found it to be relatively straightforward to use,
and the configuration and secret options are pretty comprehensive. Haven't hit
any issues I recall.

Would CNAB work with a custom provisioner, or would support for that need to
be coded in?

------
abhchand
For reasons like and to avoid confusion I always name my environment file
something specific like `.env.development` or `.env.dockercompose`

Any system that reads `.env` files usually allows some way to specify the
exact file to be read.

~~~
GordonS
Huh, I wasn't aware of this! If nothing else, I like the idea of separate
files for separate concerns.

------
hiccuphippo
As a workaround you could rename your .env file to something else and mount it
as .env in the docker-compose volume options.

~~~
Ensorceled
How does this help all the existing applications, tools, scripts etc. that use
.env?

~~~
otobrglez
If you wanna make it work; this is sadly the only way until Docker Compose is
patched.

Rename .env to something else and reconfigure autoenv.

~~~
Ensorceled
Right. Usually workarounds actually, you know, work :-P

------
seanhunter
No great fan of docker and on a train with a demo laptop and no way to install
it to test, but I would expect that

> docker-compose --env-file /dev/null

will get it to not read a .env file.

Will test later/tomorrow.

~~~
joshspankit
They do mention that being an option in the comments on the bug report, but
still sound the alarm as that’s (seemingly) the _only_ option. One-off fixes
are possible, but that’s not a viable solution at scale.

------
moomin
Stuff like this is why docker alternatives exist.

~~~
djsumdog
This doesn't have anything to do with Docker, but specifically docker-compose.
What are the alternatives you suggest to that? Minikube?

~~~
moomin
Yeah, I like Kubernetes. But I’ll admit it’s not exactly the most inviting
thing to get into. It’s cool once you get the hang of it.

But the attitude runs all the way through docker products: arbitrary decisions
made for their benefit with no thought to the externalities.

------
rubyn00bie
Call me ol' fashioned, but if I'm not administrating hundreds or thousands of
micro-services... I just use "Plain Ol' Unix Processes on ZFS," or as I
lovingly call it "POUPZ."

I can honestly say this exact issue is impossible for anyone who POUPZ. If you
haven't tried POUPZ in production, or even POUPZ at home, my recommendation is
to give it a try.

I think you'll be pretty glad for once that you POUPZ where you eat.

~~~
yjftsjthsd-h
Does this address the package-like behavior that is one of docker's big
selling points? I guess I could imagine building something out of zfs
send+receive, but it feels like you'd need tooling to make it nice, and now
you've reinvented the wheel.

