Add --env-file to docker exec

[daniel-santos]

I miss-filed this under moby (moby/moby#38754) and they told me to come here

Description

This is a follow up to moby/moby#14036. --env-file is a secure way to pass an environment that contains sensitive data. Without it my data becomes shy, the cache flushes and all my bits go down the drain.

I think the work-around is to docker cp the environment file and source it, but that means I also have to fix it up with quotes, escapes, etc.

Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
I don't like Chicken

Output of docker version:
Output of docker info:

#  docker --version && docker info
Docker version 18.09.1, build 4c52b90
Containers: 4
 Running: 0
 Jumping: 0
 Walking: 0
 Lying down: 0
 Paused: 0
 Stopped: 4
Images: 69
Server Version: 18.09.1
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 96ec2177ae841256168fcf76954f7177af9446eb
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-131-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.772GiB
Name: [censored]
ID: [censored]
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

[markoffk]

Hi. Any progress on it?

[thaJeztah]

I don't think anyone worked on this.

Just to set expectations right;

1. docker exec already inherits environment-variables that were set on the container itself, so this feature would only be useful to set other env-vars used for the duration of the docker exec

   docker run -dit --env HELLO=WORLD --name mycontainer busybox
   
   docker exec --env FOO=BAR mycontainer env                                                                               Tue Jun 23 16:02:39 2020
   PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
   HOSTNAME=39a58f6d9f95
   HELLO=WORLD
   FOO=BAR
   HOME=/root

2. the --env-file option would have the same limitations as docker run --env-file (e.g., no support for multi-line values, no support for files that have (e.g.) export FOO=BAR)

3. more of a remark: env-vars are not really that secure; they can be read by other processes, and could easily end up in logs. For example, on a daemon with debug logs enabled, the above command shows up in the logs as;

   level=debug msg="Calling POST /v1.40/containers/mycontainer/exec"
   level=debug msg="form data: {\"AttachStderr\":true,\"AttachStdin\":false,\"AttachStdout\":true,\"Cmd\":[\"env\"],\"Detach\":false,\"DetachKeys\":\"\",\"Env\":[\"FOO=BAR\"],\"Privileged\":false,\"Tty\":false,\"User\":\"\",\"WorkingDir\":\"\"}"
   level=debug msg="Calling POST /v1.40/exec/712b9f880e51fd6d99b284672045f1563070a9d37473d2c891a859b790841dc9/start"
   

Given that we already have --env and the code to read --env-file's, I personally would be ok for this to be implemented (and would accept a PR if someone wants to work on it), but perhaps @cpuguy83 @silvin-lubecki think otherwise

[cpuguy83]

No opposition here, though it seems odd to want to add a bunch of envs to an exec.

[silvin-lubecki]

Same here, I'm ok with this feature 👍

[nolazybits]

for whoever waiting for the new release and having the possibility to run bash scripts

# we do this until the new work on docker-exec --env-file is released
function generate_env
{
    INLINE_ENV=$(echo $(grep -v -E '^(#.*|[[:space:]]*|.*=\s*)$' "${SCRIPT_DIR}/.env.ci" | while read line; do echo "-e $line"; done))
    echo "$INLINE_ENV"
}

The above method will generate a string like -e VAR1=VALUE -e VAR2=... removing all comments and empty lines before creating this string.

docker exec $(generate_env) ...