How to set environment variables in Dockerfile via Azure DevOps

5
votes

In my projects Docker file I have some environment variables, like this:

ENV ACCEPT_EULA=Y
ENV SA_PASSWORD=Password
ENV MSSQL_PID=Developer
ENV MSSQL_TCP_PORT=1433

And I would like to pass the password here as an environment variable set in my pipeline.

In Azure DevOps I have two pipelines. One for building the solution and one for building and pushing docker images to DockerHub. There are options to set variables in both these pipelines: enter image description here enter image description here I have set the password in both pipelines and edited my password in the Dockerfile to look like this:

ENV SA_PASSWORD=$(SA_PASSWORD)

But that does not seem to be working. What is the correct way of passing environment variables from Azure DevOps into a Docker image?

Also, is this a safe way of passing secrets? Is there any way someone could read secrets from a Docker image?

Thanks!

4
azuredockerazure-devopsdockerfile
Hi @PalBo did you get a chance to try out below my answer? please let me know if there is any question.Levi Lu-MSFT

4 Answers

8
votes

You can set an ARG var_name and reference ENV to the ARG variables. Then you can replace those variables when docker build the image $ docker build --build-arg var_name=$(VARIABLE_NAME)

For example the add ARG in dockerfile, and have the ENV variable refer to it:

ARG SECRET
ENV ACCEPT_EULA=Y
ENV SA_PASSWORD=$SECRET
ENV MSSQL_PID=Developer
ENV MSSQL_TCP_PORT=1433

You can use dock build task and dock push task separately, as buildandpush command cannot accept arguments. And set a variable SECRET in your pipeline.

enter image description here

The set the Build Arguments SECRET= $(SECRET) to replace the ARG SECRET

enter image description here

You can also refer to a similar thread.

1
votes

I am using the Replace Tokens extension for exactly tasks like this: https://marketplace.visualstudio.com/items?itemName=qetza.replacetokens

However, putting secrets into your Dockerfile might not be the best idea. Usually you would provide secrets or generally runtime configuration as environment variables when you actually execute the container.

1
votes

I suggest to set the environment variables at runtime. If you are deploying to an Azure App Service, app settings are injected into the process as environment variables automatically.

You can then use the same image for multiple environments. With the Deploy Azure App Service task in a release pipeline, you can change the app settings for each environment.

https://docs.microsoft.com/en-us/azure/app-service/configure-custom-container?pivots=container-linux#configure-environment-variables

-3
votes

In release, choose deploy azure app service task. Provide required properties at App settings section under Application and Configuration Settings option.