dockerdocker-composedockerfile

Could a docker-compose file be deleted after docker compose up?

I have a security concern deploying airflow in Docker.

In the Docker compose file you have the possibility to set the encryption key for Fernet. My concern is that this key is hardcoded in this docker compose file. So my question is if its possible to delete docker compose file and still be able to stop and run the service.

It is better to include this env. variable inside a Dockerfile and create a new image? Is that more secure?

Thank you for your assistance

version: '3'
x-airflow-common:
  &airflow-common
  # In order to add custom dependencies or upgrade provider packages you can use your extended image.
  # Comment the image line, place your Dockerfile in the directory where you placed the docker-compose.yaml
  # and uncomment the "build" line below, Then run `docker-compose build` to build the images.
  image: ${AIRFLOW_IMAGE_NAME:-apache/airflow:2.5.1}
  # build: .
  environment:
    &airflow-common-env
    AIRFLOW__CORE__EXECUTOR: CeleryExecutor
    AIRFLOW__DATABASE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
    # For backward compatibility, with Airflow <2.3
    AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
    AIRFLOW__CORE__FERNET_KEY: ''

I have successfully set the Fernet Key and it's working inside airflow since variables are encrypted, I do not have any runtime errors so far.

I am looking for best security practices

Solution

  • You can delete the docker-compose.yml file, and the container will stay running, but you'll have trouble recreating the container if anything at all changes (including in one of the other containers in the Compose file).

    The most straightforward approach here would be to set the credential as an environment variable on the host, and then ask Compose to pass it through to the container:

      environment:
    # Some safe values specific to this Compose setup
    AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0

    # But pass this one through from the host (note, no value here)
    AIRFLOW__CORE__FERNET_KEY:

    export AIRFLOW__CORE__FERNET_KEY=$(dd if=/dev/random bs=40 count=1 | base64)
docker-compose up -d

    Definitely do not put this secret in your Dockerfile. Not only will it still be in plain text, but it will be persisted in your image as well, and anyone who gets a copy of the image can trivially get it back out.