GUACAMOLE-626: Merge add support for Docker secrets to startup.sh

2025-09-06 05:07:41 +00:00 · 2019-02-02 14:38:25 -05:00
parent 48f5f57ce7 f12dd1e2bb
commit 8c5002cd7b
2 changed files with 141 additions and 42 deletions
--- a/guacamole-docker/README.md
+++ b/guacamole-docker/README.md
@@ -28,6 +28,29 @@ Once the Guacamole image is running, Guacamole will be accessible at
 `-p 8080:8080` option to expose this port at the level of the machine hosting
 Docker, as well.

+Docker Secrets
+==============
+The string `_FILE` may be appended to some of the environment variables listed 
+below if you are using MySQL or PostgreSQL authentication. This will cause the 
+startup script to load the values for those variables from files within
+the container. 
+
+This is useful for specifying sensitive info, ie. passwords for 
+the database, in secured files instead of plaintext environment variables. This
+is generally used for loading values from [Docker secrets](https://docs.docker.com/engine/swarm/secrets/#read-more-about-docker-secret-commands), which are stored at 
+`/run/secrets/<secret_name>` within the container.
+
+It is important to note that the startup script is configured such that:
+
+1. You may mix the use of Docker secrets and normal environment variables. 
+For example, you may wish to use `MYSQL_USER_FILE` and `MYSQL_PASSWORD_FILE`, 
+but wish to specify the database name with `MYSQL_DATABASE`
+
+2. If both a normal environment variable and its corresponding secret are defined
+in the same command line, or section within a [Compose](https://docs.docker.com/compose/) file, 
+the secret will take precedence. For instance, if both `MYSQL_PASSWORD`
+and `MYSQL_PASSWORD_FILE` are given, `MYSQL_PASSWORD_FILE` will be used.
+
 Deploying Guacamole with PostgreSQL authentication
 --------------------------------------------------

@@ -36,6 +59,9 @@ Deploying Guacamole with PostgreSQL authentication
        -e POSTGRES_DATABASE=guacamole_db  \
        -e POSTGRES_USER=guacamole_user    \
        -e POSTGRES_PASSWORD=some_password \        
+        -e POSTGRES_DATABASE_FILE=/run/secrets/<secret_name> \
+        -e POSTGRES_USER_FILE=/run/secrets/<secret_name> \
+        -e POSTGRES_PASSWORD_FILE=/run/secrets/<secret_name> \
        -d -p 8080:8080 guacamole/guacamole

 Linking Guacamole to PostgreSQL requires three environment variables. If any of
@@ -44,7 +70,14 @@ the image will stop:

 1. `POSTGRES_DATABASE` - The name of the database to use for Guacamole authentication.
 2. `POSTGRES_USER` - The user that Guacamole will use to connect to PostgreSQL.
-3. `POSTGRES_PASSWORD` - The password that Guacamole will provide when connecting to PostgreSQL as `POSTGRES_USER`.
+3. `POSTGRES_PASSWORD` - The password that Guacamole will provide when connecting to 
+PostgreSQL as `POSTGRES_USER`.
+4. `POSTGRES_DATABASE_FILE` - The path of the docker secret containing the name of database 
+to use for Guacamole authentication.
+5. `POSTGRES_USER_FILE` - The path of the docker secret containing the name of the 
+user that Guacamole will use to connect to PostgreSQL.
+6. `POSTGRES_PASSWORD_FILE` - The path of the docker secret containing the password 
+that Guacamole will provide when connecting to PostgreSQL as `POSTGRES_USER.

 ### Initializing the PostgreSQL database

@@ -81,6 +114,9 @@ Deploying Guacamole with MySQL authentication
        -e MYSQL_DATABASE=guacamole_db  \
        -e MYSQL_USER=guacamole_user    \
        -e MYSQL_PASSWORD=some_password \
+        -e MYSQL_DATABASE_FILE=/run/secrets/<secret_name> \
+        -e MYSQL_USER_FILE=/run/secrets/<secret_name> \
+        -e MYSQL_PASSWORD_FILE=/run/secrets/<secret_name> \
        -d -p 8080:8080 guacamole/guacamole

 Linking Guacamole to MySQL requires three environment variables. If any of
@@ -89,7 +125,14 @@ the image will stop:

 1. `MYSQL_DATABASE` - The name of the database to use for Guacamole authentication.
 2. `MYSQL_USER` - The user that Guacamole will use to connect to MySQL.
-3. `MYSQL_PASSWORD` - The password that Guacamole will provide when connecting to MySQL as `MYSQL_USER`.
+3. `MYSQL_PASSWORD` - The password that Guacamole will provide when connecting 
+to MySQL as `MYSQL_USER`.
+4. `MYSQL_DATABASE_FILE` - The path of the docker secret containing the name of the 
+database to use for Guacamole authentication.
+5. `MYSQL_USER_FILE` - The path of the docker secret containing the name of the user 
+that Guacamole will use to connect to MySQL.
+6. `MYSQL_PASSWORD_FILE` - The path of the docker secret containing the password 
+that Guacamole will provide when connecting to MySQL as`MYSQL_USER`.

 ### Initializing the MySQL database

--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -84,6 +84,29 @@ set_optional_property() {

 }

+# Print error message regarding missing required variables for MySQL authentication
+mysql_missing_vars() {
+   cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a MySQL database, you must provide each of the following
+environment variables or their corresponding Docker secrets by appending _FILE
+to the environment variable, and setting the value to the path of the 
+corresponding secret:
+
+    MYSQL_USER         The user to authenticate as when connecting to
+                       MySQL.
+
+    MYSQL_PASSWORD     The password to use when authenticating with MySQL as
+                       MYSQL_USER.
+
+    MYSQL_DATABASE     The name of the MySQL database to use for Guacamole
+                       authentication.
+END
+    exit 1;
+}
+
+
 ##
 ## Adds properties to guacamole.properties which select the MySQL
 ## authentication provider, and configure it to connect to the linked MySQL
@@ -125,32 +148,38 @@ END
        exit 1;
    fi

-    # Verify required parameters are present
-    if [ -z "$MYSQL_USER" -o -z "$MYSQL_PASSWORD" -o -z "$MYSQL_DATABASE" ]; then
-        cat <<END
-FATAL: Missing required environment variables
-------------------------------------------------------------------------------
-If using a MySQL database, you must provide each of the following
-environment variables:

-    MYSQL_USER         The user to authenticate as when connecting to
-                       MySQL.
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$MYSQL_USER_FILE" ]; then
+        set_property "mysql-username" `cat $MYSQL_USER_FILE`
+    elif [ -n "$MYSQL_USER" ]; then
+        set_property "mysql-username" "$MYSQL_USER"
+    else
+        mysql_missing_vars
+        exit 1;
+    fi
    
-    MYSQL_PASSWORD     The password to use when authenticating with MySQL as
-                       MYSQL_USER.
+    if [ -n "$MYSQL_PASSWORD_FILE" ]; then
+        set_property "mysql-password" `cat $MYSQL_PASSWORD_FILE`
+    elif [ -n "$MYSQL_PASSWORD" ]; then
+        set_property "mysql-password" "$MYSQL_PASSWORD"
+    else
+        mysql_missing_vars
+        exit 1;
+    fi

-    MYSQL_DATABASE     The name of the MySQL database to use for Guacamole
-                       authentication.
-END
+    if [ -n "$MYSQL_DATABASE_FILE" ]; then
+        set_property "mysql-database" `cat $MYSQL_DATABASE_FILE`
+    elif [ -n "$MYSQL_DATABASE" ]; then
+        set_property "mysql-database" "$MYSQL_DATABASE"
+    else
+        mysql_missing_vars
        exit 1;
    fi

    # Update config file
    set_property "mysql-hostname" "$MYSQL_HOSTNAME"
    set_property "mysql-port"     "$MYSQL_PORT"
-    set_property "mysql-database" "$MYSQL_DATABASE"
-    set_property "mysql-username" "$MYSQL_USER"
-    set_property "mysql-password" "$MYSQL_PASSWORD"

    set_optional_property               \
        "mysql-absolute-max-connections" \
@@ -178,6 +207,28 @@ END

 }

+# Print error message regarding missing required variables for PostgreSQL authentication
+postgres_missing_vars() {
+    cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a PostgreSQL database, you must provide each of the following
+environment variables or their corresponding Docker secrets by appending _FILE
+to the environment variable, and setting the value to the path of the 
+corresponding secret:
+
+    POSTGRES_USER      The user to authenticate as when connecting to
+                       PostgreSQL.
+
+    POSTGRES_PASSWORD  The password to use when authenticating with PostgreSQL
+                       as POSTGRES_USER.
+
+    POSTGRES_DATABASE  The name of the PostgreSQL database to use for Guacamole
+                       authentication.
+END
+    exit 1;
+}
+
 ##
 ## Adds properties to guacamole.properties which select the PostgreSQL
 ## authentication provider, and configure it to connect to the linked
@@ -221,32 +272,37 @@ END
        exit 1;
    fi

-    # Verify required parameters are present
-    if [ -z "$POSTGRES_USER" -o -z "$POSTGRES_PASSWORD" -o -z "$POSTGRES_DATABASE" ]; then
-        cat <<END
-FATAL: Missing required environment variables
-------------------------------------------------------------------------------
-If using a PostgreSQL database, you must provide each of the following
-environment variables:
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$POSTGRES_USER_FILE" ]; then
+        set_property "postgresql-username" `cat $POSTGRES_USER_FILE`
+    elif [ -n "$POSTGRES_USER" ]; then
+        set_property "postgresql-username" "$POSTGRES_USER"
+    else
+        postgres_missing_vars
+        exit 1;
+    fi
    
-    POSTGRES_USER      The user to authenticate as when connecting to
-                       PostgreSQL.
+    if [ -n "$POSTGRES_PASSWORD_FILE" ]; then
+        set_property "postgresql-password" `cat $POSTGRES_PASSWORD_FILE`
+    elif [ -n "$POSTGRES_PASSWORD" ]; then
+        set_property "postgresql-password" "$POSTGRES_PASSWORD"
+    else
+        postgres_missing_vars
+        exit 1;
+    fi

-    POSTGRES_PASSWORD  The password to use when authenticating with PostgreSQL
-                       as POSTGRES_USER.
-
-    POSTGRES_DATABASE  The name of the PostgreSQL database to use for Guacamole
-                       authentication.
-END
+    if [ -n "$POSTGRES_DATABASE_FILE" ]; then
+        set_property "postgresql-database" `cat $POSTGRES_DATABASE_FILE`
+    elif [ -n "$POSTGRES_DATABASE" ]; then
+        set_property "postgresql-database" "$POSTGRES_DATABASE"
+    else
+        postgres_missing_vars
        exit 1;
    fi

    # Update config file
    set_property "postgresql-hostname" "$POSTGRES_HOSTNAME"
    set_property "postgresql-port"     "$POSTGRES_PORT"
-    set_property "postgresql-database" "$POSTGRES_DATABASE"
-    set_property "postgresql-username" "$POSTGRES_USER"
-    set_property "postgresql-password" "$POSTGRES_PASSWORD"

    set_optional_property               \
        "postgresql-absolute-max-connections" \
@@ -596,13 +652,13 @@ set_property "guacd-port"     "$GUACD_PORT"
 INSTALLED_AUTH=""

 # Use MySQL if database specified
-if [ -n "$MYSQL_DATABASE" ]; then
+if [ -n "$MYSQL_DATABASE" -o -n "$MYSQL_DATABASE_FILE" ]; then
    associate_mysql
    INSTALLED_AUTH="$INSTALLED_AUTH mysql"
 fi

 # Use PostgreSQL if database specified
-if [ -n "$POSTGRES_DATABASE" ]; then
+if [ -n "$POSTGRES_DATABASE" -o -n "$POSTGRES_DATABASE_FILE" ]; then
    associate_postgresql
    INSTALLED_AUTH="$INSTALLED_AUTH postgres"
 fi