Docker Experts - Is my install "script" safe?

Background: I want to run my own MediaWiki (Wikipedia) on my internal network, with Docker. After hours of trial-and-error, the below script is what appears to work; I just don’t know whether it’s “safe” and secure.

docker run --name MediaWiki_mysql \ #It is encouraged to install mysql onto a different container from the main MediaWiki container, hence the creation of this container
-v V_MediaWiki_mysql:/var/lib/mysql \ #this creates a volume from the mysql data; if this is not inputed, mysql would create a random-named volume
-e MYSQL_DATABASE=wikidb \
-e MYSQL_USER=*** \
-e MYSQL_PASSWORD=*** \
-e MYSQL_ROOT_PASSWORD=*** \
-e MEDIAWIKI_DB_PORT=3306 \
-d mysql:8.0.35 #my chosen version of mysql; the “latest” was using an older version of mysql

docker run --name MediaWiki \ #this creates the actual MediaWiki container
-v V_MediaWiki_Data:/var/lib/mysql \ #this stores all of the MediaWiki images, webpages, and settings in a volume INSTEAD OF the container
-p 8080:80 \ #specifies the webpage port (8080)
–link MediaWiki_mysql \ #links this mediawiki container to the specified mysql container
-d mediawiki #uses the latest Mediawiki container

#Afterward, within the MediaWiki container, I ran apt-get update && apt-get upgrade. Afterward apt-get install nano , I used Nano to write the “LocalSettings.php” data onto var /lib/mysql.

What I’m primarily worried about us specifying the “MEDIAWIKI_DB_PORT=3306”. Any and all feedback welcome.

I’d be worried about specifying passwords on the command line…

Bring up your media wiki using docker compose. Here you can specify how the main container is connected to the other required service containers. All containers are wired up per spec and brought up together.

You should make a docker compose. Use secrets for the password and don’t pass the dB port through the host. If you put both the dB and service in the same compose. They will share a network and be able to connect through that.

1 Like

Why is that? I guess because of the history?

Per Docker

Looks like my install script is mostly the same, aside from using mysql instead of mariadb (will that even make a difference?)

What does this all mean? I’m pretty new to Docker

If you specify passwords on the command line they can be read by anyone (or any process), basically making them public. This is the opposite of why you have a password.

If you create a secret and specify this in the docker compose file (assuming proper file permissions) it’s only visible to the docker service.

Docker sets up a “private network” for its containers by default (inside the computer). This makes communication between containers pretty safe.