Runtime cmd arguments with secrets

nixholas · May 3, 2024, 5:45pm

Greetings! I’m trying to run a docker image with this runtime structure:

Usage: sprinter --postgres-url <POSTGRES_URL> --redis-url <REDIS_URL> --rpc-url <RPC_URL> --ws-url <WS_URL> --mongo-uri <MONGO_URI> --amqp-url <AMQP_URL> --amqp-exchange <AMQP_EXCHANGE>

How am I able to inject this in my fly.toml if possible?

I am already attempting this on the Dockerfile but to no avail

FROM rust:latest as builder
# Create new cargo project and set it to the current directory
RUN USER=root cargo new --bin sprinter
WORKDIR /sprinter
# Build cargo crates
COPY ./Cargo.toml ./
RUN cargo build --release
# Build rust project
COPY ./src ./src
RUN rm ./target/release/deps/sprinter*
RUN cargo build --release
# Run-time container
FROM photon:latest
ARG APP=/usr/src/app
RUN tdnf install -y ca-certificates shadow openssl
# Download DocumentDB certificate
WORKDIR ${APP}
# Set specific user for container security
ENV APP_USER=appuser
RUN groupadd -r $APP_USER \
    && useradd -r -g $APP_USER $APP_USER \
    && mkdir -p ${APP}
COPY --from=builder /sprinter/target/release/sprinter ${APP}/sprinter
RUN chown -R $APP_USER:$APP_USER ${APP}
USER $APP_USER
WORKDIR ${APP}
CMD ["sh", "-c", "./sprinter --postgres-url ${POSTGRES_URL} --redis-url ${REDIS_URL} --rpc-url ${RPC_URL} --ws-url ${WS_URL} --mongo-uri ${MONGO_URI} --amqp-url ${AMQP_URL} --amqp-exchange ${AMQP_EXCHANGE}"]

lubien · May 3, 2024, 5:56pm

Secrets are injected at runtime and to put something on your Dockerfile you’d need build arguments but since there’s sensitive data I’d say please don’t put these on your fly.toml

There’s an easy trick to do that.

Create a run.sh file with your command and it calls the actual command
Change your Dockerfile to CMD run.sh
fly deploy!

nixholas · May 4, 2024, 6:35am

Hey @lubien, doesn’t seem to work for me!

Fly.toml:

app = 'sprinter'
primary_region = 'iad'

[experimental]
  cmd = ["./sprinter"]

[build]

[http_service]
  internal_port = 8080
  force_https = true
  auto_stop_machines = false
  auto_start_machines = true
  min_machines_running = 2
  processes = ['app']

[[vm]]
  size = 'shared-cpu-8x'

Dockerfile

FROM rust:latest as builder
# Create new cargo project and set it to the current directory
RUN USER=root cargo new --bin sprinter
WORKDIR /sprinter
# Build cargo crates
COPY ./Cargo.toml ./
RUN cargo build --release
# Build rust project
COPY ./src ./src
RUN rm ./target/release/deps/sprinter*
RUN cargo build --release
# Run-time container
FROM photon:latest
ARG APP=/usr/src/app
RUN tdnf install -y ca-certificates shadow openssl
# Download DocumentDB certificate
WORKDIR ${APP}
# Set specific user for container security
ENV APP_USER=appuser
RUN groupadd -r $APP_USER \
    && useradd -r -g $APP_USER $APP_USER \
    && mkdir -p ${APP}
COPY --from=builder /sprinter/target/release/sprinter ${APP}/sprinter
RUN chown -R $APP_USER:$APP_USER ${APP}
USER $APP_USER
WORKDIR ${APP}
CMD ["sh", "-c", "./run.sh"]

run.sh

./sprinter --postgres-url $POSTGRES_URL --redis-url $REDIS_URL --rpc-url $RPC_URL --ws-url $WS_URL --mongo-uri $MONGO_URI --amqp-exchange $AMQP_EXCHANGE --amqp-url $AMQP_URL

2024-05-04T10:39:40.701 runner[080e332b125118] iad [info] machine did not have a restart policy, defaulting to restart

2024-05-04T10:39:58.914 app[080e332b125118] iad [info] [ 0.080125] PCI: Fatal: No config space access function found

2024-05-04T10:39:59.251 app[080e332b125118] iad [info] INFO Starting init (commit: c1e2693b)...

2024-05-04T10:39:59.345 app[080e332b125118] iad [info] INFO Preparing to run: `./sprinter` as appuser

2024-05-04T10:39:59.352 app[080e332b125118] iad [info] INFO [fly api proxy] listening at /.fly/api

2024-05-04T10:39:59.358 app[080e332b125118] iad [info] 2024/05/04 10:39:59 INFO SSH listening listen_address=[fdaa:8:4f95:a7b:1d9:391a:4ab9:2]:22 dns_server=[fdaa::3]:53

2024-05-04T10:39:59.409 app[080e332b125118] iad [info] error: the following required arguments were not provided:

2024-05-04T10:39:59.409 app[080e332b125118] iad [info] --amqp-url <AMQP_URL>

2024-05-04T10:39:59.409 app[080e332b125118] iad [info] --amqp-exchange <AMQP_EXCHANGE>

2024-05-04T10:39:59.409 app[080e332b125118] iad [info] Usage: sprinter --postgres-url <POSTGRES_URL> --redis-url <REDIS_URL> --rpc-url <RPC_URL> --ws-url <WS_URL> --mongo-uri <MONGO_URI> --amqp-url <AMQP_URL> --amqp-exchange <AMQP_EXCHANGE>

2024-05-04T10:39:59.409 app[080e332b125118] iad [info] For more information, try '--help'.

2024-05-04T10:39:59.726 runner[080e332b125118] iad [info] Machine started in 1.142s

2024-05-04T10:40:00.352 app[080e332b125118] iad [info] INFO Main child exited normally with code: 2

2024-05-04T10:40:00.370 app[080e332b125118] iad [info] INFO Starting clean up.

2024-05-04T10:40:00.372 app[080e332b125118] iad [info] WARN could not unmount /rootfs: EINVAL: Invalid argument

2024-05-04T10:40:00.373 app[080e332b125118] iad [info] [ 1.537348] reboot: Restarting system

2024-05-04T10:40:00.586 runner[080e332b125118] iad [info] machine did not have a restart policy, defaulting to restart

system · May 11, 2024, 6:35am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
noob conceptual question	2	320	February 18, 2023
How can I specify run arguments for a Dockerimage deploy? Questions / Help	5	1942	March 19, 2023
how to add docker Run --model command in Deploy config file? Questions / Help docs , databases	2	363	May 4, 2024
Docker Arguments when deploy	6	475	January 23, 2024
Can I inject secrets into a config file at deploy time? Questions / Help	2	213	June 14, 2023

Runtime cmd arguments with secrets

Related topics