abandon to use secret, it has too many consequences

+ use classical env technic, but it might not be safe

README.md

@@ -61,9 +61,11 @@
 - [run docker deamon rootless](https://docs.docker.com/engine/security/rootless/)
 - [dangling images '<none>'](https://projectatomic.io/blog/2015/07/what-are-docker-none-none-images/)
 - [go inside docker to debug it](https://docs.docker.com/engine/reference/commandline/container_exec/)
+- [docker debug image with "docker run -it"](https://blog.devgenius.io/how-to-debug-docker-build-6c2588401188)
 - `docker exec -ti <container-name> bash` to run bash inside a running container
 - [docker CMD vs ENTRYPOINT](https://phoenixnap.com/kb/docker-cmd-vs-entrypoint)
 - [use env variable with compose](https://docs.docker.com/compose/environment-variables/)
+- [using DEBIAN_FRONTEND=noninteractive disouraged in dockerfile](https://bobcares.com/blog/debian_frontendnoninteractive-docker/)
 
 	###### docker pid 1
 	- nginx by default will create some child process (a master and some workers), then it quits (doc ?)
@@ -115,8 +117,18 @@
 	- bind mounts are normal files anywhere on the computer, that docker container can access with absolut path and modify. They can also be modified without docker, since they are juste files
 	- volumes are only modifiable by docker, they don't need an absolut path, and they are not dependent of host architecture
 
-	###### psswd in dockerfile :
-	- [SO securing passwords in dockerfiles](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords)
+	###### use password in container :
+	- [with env variables in compose](https://docs.docker.com/compose/environment-variables/)
+	- [it's not safe to use arg to pass secret, since they are available through "docker history"](https://docs.docker.com/engine/reference/builder/#arg)
+	- [better use docker build --secret tag](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information)
+	- [so discussion](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords)
+	- [engine ref secret](https://docs.docker.com/engine/reference/commandline/secret/)
+	- [compose secret](https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets)
+	- [use secret with docker](https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/)
+	- [use secret with docker SO](https://stackoverflow.com/questions/42139605/how-do-you-manage-secret-values-with-docker-compose-v3-1)
+	- [four ways to use secrets](https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/)
+	- it seems that using "secrets" only improve security for a swarm, when you must share your secrets with others, but if not the case, .env is as much secure ?
+	- to use secret in docker-compose, we need to use swarm, but it doesn't allow to use build, or up, so everything is different then and I don't have time to understand it fully
 
 #### nginx
 - [nginx begginer guide](https://hub.docker.com/_/nginx/)
@@ -180,13 +192,6 @@
 		DROP DATABASE <name>;
 		```
 
-	###### use password in container :
-	- [with env variables in compose](https://docs.docker.com/compose/environment-variables/)
-	- [so discussion](https://stackoverflow.com/questions/22651647/docker-and-securing-passwords)
-	- [docker build --secret tag](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information)
-	- [use secret with docker](https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/)
-	- [use secret with docker SO](https://stackoverflow.com/questions/42139605/how-do-you-manage-secret-values-with-docker-compose-v3-1)
-
 
 #### php-fpm
 - [](https://en.wikipedia.org/wiki/FastCGI)

srcs/.env

@@ -1,8 +1,8 @@
-# DOMAIN_NAME=wil.42.fr
-# # certificates
-# CERTS_=./XXXXXXXXXXXX
-# # MYSQL SETUP
-# MYSQL_ROOT_PASSWORD=XXXXXXXXXXXX
-# MYSQL_USER=XXXXXXXXXXXX
-# MYSQL_PASSWORD=XXXXXXXXXXXX
-# [...]
+#DOMAIN_NAME=wil.42.fr
+## certificates
+#CERTS_=./XXXXXXXXXXXX
+
+## MARIADB SETUP
+DB_NAME=db_wp_inception
+DB_USER=user_wp_inception
+DB_PSWD="if you read this i will have to erase your memory"

srcs/docker-compose.yml

@@ -9,12 +9,12 @@ version: "3.8"
 
 services:
 # ---------------------------------
-  test:
-    build:
-      context: ./requirements/test
-      dockerfile: Dockerfile
-    image: test
-    container_name: mytest
+#  test:
+#    build:
+#      context: ./requirements/test
+#      dockerfile: Dockerfile
+#    image: test
+#    container_name: mytest
 # ---------------------------------
   nginx:
     #restart: on-failure
@@ -29,16 +29,13 @@ services:
 # ---------------------------------
   mariadb:
     #restart: on-failure
+    env_file: .env
     build:
       context: ./requirements/mariadb
-      dockerfile: Dockerfile
+      args:
+        - DB_NAME=${DB_NAME}
+        - DB_USER=${DB_USER}
+        - DB_PSWD=${DB_PSWD}
     image: mariadb
     container_name: mymariadb
-    #--secret id=mysecret,src=mysecret.txt
-    secrets:
-      - my_secret
-
-secrets:
-  my_secret:
-    file: ./secret.txt
 

srcs/requirements/mariadb/Dockerfile

@@ -1,20 +1,17 @@
 FROM debian:buster
 
-ARG DEBIAN_FRONTEND=noninteractive
-
-# docker build --secret tag : https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information)
-# use secret with docker : https://www.rockyourcode.com/using-docker-secrets-with-docker-compose/)
-RUN --mount=type=secret,id=my_secret cat /run/secrets/my_secret.txt
-#RUN cat /run/secrets/my_secret.txt
+ARG DB_NAME
+ARG DB_USER
+ARG DB_PSWD
 
 RUN apt update && \
 	apt install -y mariadb-client mariadb-server && \
 	rm -rf /var/lib/apt/lists/* && \
 	\
 	service mysql start && \
-	mariadb --execute="CREATE DATABASE db_hugo_test;" && \
-	mariadb --execute="CREATE USER 'u_hugo_test'@'localhost' IDENTIFIED BY 'hello';" && \
-	mariadb --execute="GRANT ALL PRIVILEGES ON *.* TO 'u_hugo_test'@'localhost' with grant option;"
+	mariadb --execute="CREATE DATABASE ${DB_NAME};" && \
+	mariadb --execute="CREATE USER '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PSWD}';" && \
+	mariadb --execute="GRANT ALL PRIVILEGES ON *.* TO '${DB_USER}'@'localhost' with grant option;"
 
 CMD [ "mysqld" ]
 

srcs/requirements/mariadb/secret.txt

@@ -0,0 +1 @@
+mon_super_mot_de_passe