GUACAMOLE-626: Update README.md

Add appropriate documentation for usage of Docker secrets

guacamole-docker/README.md

@@ -28,6 +28,14 @@ Once the Guacamole image is running, Guacamole will be accessible at
 `-p 8080:8080` option to expose this port at the level of the machine hosting
 Docker, as well.
 
+Docker Secrets
+==============
+The string `_FILE` may be appended to some of the environment variables listed below if you are using MySQL or PostgreSQL authentication. This will cause the startup script to load the values for those variables from files within in the container. This is useful for specifying sensitive info, ie. passwords for the database, in secured files instead of plaintext environment variables, and is generally used for loading values from [Docker secrets](https://docs.docker.com/engine/swarm/secrets/#read-more-about-docker-secret-commands), which are stored in `/run/secrets/<secret_name>` within the container.
+
+It is important to note that the startup script is configured such that:
+1. You may mix the use of Docker secrets and normal environment variables. For example, you may wish to use `MYSQL_USER_FILE` and `MYSQL_PASSWORD_FILE`, but wish to specify the database name with `MYSQL_DATABASE`
+2. If both a normal environment variable and its corresponding secret are defined in the same command line or compose file, ie. `MYSQL_PASSWORD` and `MYSQL_PASSWORD_FILE`, precedence is given to the secret.
+
 Deploying Guacamole with PostgreSQL authentication
 --------------------------------------------------
 
@@ -36,6 +44,9 @@ Deploying Guacamole with PostgreSQL authentication
         -e POSTGRES_DATABASE=guacamole_db  \
         -e POSTGRES_USER=guacamole_user    \
         -e POSTGRES_PASSWORD=some_password \        
+        -e POSTGRES_DATABASE_FILE=/run/secrets/<secret_name> \
+        -e POSTGRES_USER_FILE=/run/secrets/<secret_name> \
+        -e POSTGRES_PASSWORD_FILE=/run/secrets/<secret_name> \
         -d -p 8080:8080 guacamole/guacamole
 
 Linking Guacamole to PostgreSQL requires three environment variables. If any of
@@ -45,6 +56,9 @@ the image will stop:
 1. `POSTGRES_DATABASE` - The name of the database to use for Guacamole authentication.
 2. `POSTGRES_USER` - The user that Guacamole will use to connect to PostgreSQL.
 3. `POSTGRES_PASSWORD` - The password that Guacamole will provide when connecting to PostgreSQL as `POSTGRES_USER`.
+4. `POSTGRES_DATABASE_FILE` - The path of the docker secret containing the name of database to use for Guacamole authentication.
+5. `POSTGRES_USER` - The path of the docker secret containing the name of the user that Guacamole will use to connect to PostgreSQL.
+6. `POSTGRES_PASSWORD` - The path of the docker secret containing the password that Guacamole will provide when connecting to PostgreSQL as `POSTGRES_USER`.
 
 ### Initializing the PostgreSQL database
 
@@ -81,6 +95,9 @@ Deploying Guacamole with MySQL authentication
         -e MYSQL_DATABASE=guacamole_db  \
         -e MYSQL_USER=guacamole_user    \
         -e MYSQL_PASSWORD=some_password \
+        -e MYSQL_DATABASE_FILE=/run/secrets/<secret_name> \
+        -e MYSQL_USER_FILE=/run/secrets/<secret_name> \
+        -e MYSQL_PASSWORD_FILE=/run/secrets/<secret_name> \
         -d -p 8080:8080 guacamole/guacamole
 
 Linking Guacamole to MySQL requires three environment variables. If any of
@@ -90,6 +107,9 @@ the image will stop:
 1. `MYSQL_DATABASE` - The name of the database to use for Guacamole authentication.
 2. `MYSQL_USER` - The user that Guacamole will use to connect to MySQL.
 3. `MYSQL_PASSWORD` - The password that Guacamole will provide when connecting to MySQL as `MYSQL_USER`.
+4. `MYSQL_DATABASE_FILE` - The path of the docker secret containing the name of database to use for Guacamole authentication.
+5. `MYSQL_USER` - The path of the docker secret containing the name of the user that Guacamole will use to connect to MySQL.
+6. `MYSQL_PASSWORD` - The path of the docker secret containing the password that Guacamole will provide when connecting to MySQL as `MYSQL_USER`.
 
 ### Initializing the MySQL database