Introduction

This article is built upon the article on secrets management. I am assuming you either have read it and followed along or you are very familiar with what Doppler is, what the benefits are and how it works. If those assumptions don’t hold true for you, you might want to read the article on secrets management before continuing.

To be explicit I make the following assumption about you, dear reader, as I write this article:

You have a Doppler account and are comfortable working with everything covered in the article on secrets management
You have Doppler CLI installed and logged into your Doppler account, as per the article on secrets management
You have docker installed, if not go to https://www.docker.com/products/docker-desktop/ and fix that
You are comfortable working in command prompt, aka terminal, of your chosen operating system
Comfortable downloading or cloning GitHub projects

My latest project has been to get more comfortable with Docker, how it works, how to set it up, etc. So I started going through the Docker 101 Getting started course that pops up automatically when you install Docker Desktop for Windows. If you are on a different operating system where the installation of docker doesn’t force this tutorial in your face, just run this command:

docker run -d -p 80:80 docker/getting-started

Some Linux distros might require this command to be run as root or sudo. When I do this on my Ubuntu VM, I have to run it as sudo. If you are new to Docker, as I am, I highly recommend you work through all the exercises in this free training. Once the command completes running you just open a browser to http://localhost/ to access the training.

When I was going through the module on Docker Compose it struck me that having all those secrets in the yml file was not the best way to go from a security perspective. As you recall from the article on secrets management, Doppler integrates with whole bunch of systems, so I figured this was a perfect way to learn how to fix this insecurity by integrating my Doppler account into my Docker project. Turns out it is actually very simple. There are actually a bunch of different approach provided in the Doppler documentation, some that look very intimidating, so at first it looked daunting but I found the simplest option and I’ll walk you through that here. All I had to do though was just tweak the compose yml file a little.

Walk through

To follow along with what I did, follow these steps:

Clone my GitHub project at https://github.com/siggib007/app.git to your local machine.
From that project directory import a new project into your doppler account:
1. doppler import
Tie your local project to the Doppler project you just imported
1. doppler setup -p docker101 -c dev
For optimal security you might want to set a new database root user password, but since this is just a plaything it isn’t that critical but a good practice either way. The password I have in there is pretty strong though, but it is public so no longer a secret.
1. doppler secrets set MYSQL_ROOT_PASSWORD [NewSuperStrongAndLongPrivatePassword]
Then simply start the project
1. doppler run -- docker-compose up -d

As far as the changes I did. Here is what the yml file looks like in the course:

version: "3.8"

services:
  app:
    image: node:12-alpine
    command: sh -c "yarn install && yarn run dev"
    ports:
      - 3000:3000
    working_dir: /app
    volumes:
      - ./:/app
    environment:
      MYSQL_HOST: mysql
      MYSQL_USER: root
      MYSQL_PASSWORD: secret
      MYSQL_DB: todos

  mysql:
    image: mysql:5.7
    volumes:
      - todo-mysql-data:/var/lib/mysql
    environment: 
      MYSQL_ROOT_PASSWORD: secret
      MYSQL_DATABASE: todos

volumes:
  todo-mysql-data:

Here is what it looks like after my changes:

version: "3.8"

services:
  app:
    image: node:12-alpine
    command: sh -c "yarn install && yarn run dev"
    ports:
      - 3000:3000
    working_dir: /app
    volumes:
      - ./:/app
    environment:
      - MYSQL_HOST
      - MYSQL_USER
      - MYSQL_PASSWORD
      - MYSQL_DB
  mysql:
    image: mysql:5.7
    ports:
      - 33060:3306
    volumes:
      - todo-mysql-data:/var/lib/mysql
    environment: 
      - MYSQL_ROOT_PASSWORD
      - MYSQL_DATABASE

volumes:
  todo-mysql-data:

All I did was take the value out of the environment lines and then turn the lines into a proper yml list. So for example take “MYSQL_HOST: mysql” and turn it into “- MYSQL_HOST”

Then all that was needed was call the composer with the doppler run command.

doppler run -- docker-compose up -d

As always feel free to reach out if there are any questions, comments, etc., and I’ll get back to you as soon as I can.

Published by Siggi Bjarnason

View all posts by Siggi Bjarnason

16 Jun

Emailing from PHP

In this article I'm replicating what I did with python with PHP and demonstrating how to send automated emails via PHP using he PHPMailer module.

15 Jun

Secrets Management Conclusion

Third and final installment on secret management. In this article I give an overview of all the solutions I found that met my criteria.

14 Jun

Secrets Management, a key less edition

This is a second installment on tools that will help you manage your secrets. This time I'm diving into a solution called AKEYLESS which looks like a great option for those needing a more fully fledged Secret and key management solution.

12 Jun

Emailing from python3

In this article I deviate again from cybersecurity to continue with topic of how to send notifications from python, this time by sending fully functional email

07 Jun

Slack messaging from Python3

In this article I deviate slightly from the infosec related topics and explain how one can add slack messaging capabilities to their python scripting..

04 Jun

Mass shootings the USA

I wanted to pen some thoughts on the horrific problem the USA is facing in regard to mass shootings. For those that don’t know I was born and raised in Iceland but lived in Seattle WA, USA for most of…

18 May

Docker and Doppler

My latest project has been to get more comfortable with Docker, how it works, how to set it up, etc. During that I started learning how to integrate Doppler into Docker. This article explains my findings.

09 May

Secrets Management

In this article I talk about benefits of managing all the secrets you use in your dev efforts and how to do it efficiently and securely. I also provide a sample script to play with.

30 Mar

Cybersecurity philosophy

I am not planning on waxing philosophy in this post, but I do want to discuss ideology or mindset of a successful cybersecurity professional. In my Vulnerability Management post I went over how to structure your vulnerability management program. Here…

17 Mar

My thoughts on the Ukraine invasion

I expressed an opinion on Twitter the other day that I thought we should be responding to Ukraine’s request for full military assistance by sending NATO forces into Ukraine to expel the Russian invasion force. I got some interesting responses…