)]}'
{"playbooks/roles/gitea/tasks/main.yaml":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"dee11f5b212cef05c18daf2c8d9465bce0f97036","unresolved":false,"context_lines":[{"line_number":148,"context_line":"    user: root"},{"line_number":149,"context_line":"    job: \u003e"},{"line_number":150,"context_line":"      /usr/bin/docker-compose -f /etc/gitea-docker/docker-compose.yaml exec -T mariadb"},{"line_number":151,"context_line":"      bash -c \u0027/usr/bin/mysqldump --opt --ignore-table mysql.event --all-databases --single-transaction -uroot -p\"$MYSQL_ROOT_PASSWORD\"\u0027 |"},{"line_number":152,"context_line":"      gzip -9 \u003e /var/backups/gitea-mariadb/gitea-mariadb.sql.gz"},{"line_number":153,"context_line":"    minute: 42"},{"line_number":154,"context_line":"    hour: 4"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"9fb8cfa7_3a642922","line":151,"updated":"2019-06-06 19:09:28.000000000","message":"I guess we don\u0027t keep the password on disk? This is probably going to leak into logs, right?","commit_id":"e832987fcab8d5af3c2c8665e2e9120aa9b3fe33"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"f517c3ab085f78b42bea0d652dd18df7639e577d","unresolved":false,"context_lines":[{"line_number":148,"context_line":"    user: root"},{"line_number":149,"context_line":"    job: \u003e"},{"line_number":150,"context_line":"      /usr/bin/docker-compose -f /etc/gitea-docker/docker-compose.yaml exec -T mariadb"},{"line_number":151,"context_line":"      bash -c \u0027/usr/bin/mysqldump --opt --ignore-table mysql.event --all-databases --single-transaction -uroot -p\"$MYSQL_ROOT_PASSWORD\"\u0027 |"},{"line_number":152,"context_line":"      gzip -9 \u003e /var/backups/gitea-mariadb/gitea-mariadb.sql.gz"},{"line_number":153,"context_line":"    minute: 42"},{"line_number":154,"context_line":"    hour: 4"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"9fb8cfa7_ba2579c4","line":151,"updated":"2019-06-06 19:14:22.000000000","message":"Oh! Right, the crond is running outside the container context, so this is likely not a regression in security anyway.","commit_id":"e832987fcab8d5af3c2c8665e2e9120aa9b3fe33"},{"author":{"_account_id":1,"name":"James E. Blair","email":"jim@acmegating.com","username":"corvus"},"change_message_id":"1ca40bf0f80b90d2c5e3bdf2c3dec682dcfd17b4","unresolved":false,"context_lines":[{"line_number":148,"context_line":"    user: root"},{"line_number":149,"context_line":"    job: \u003e"},{"line_number":150,"context_line":"      /usr/bin/docker-compose -f /etc/gitea-docker/docker-compose.yaml exec -T mariadb"},{"line_number":151,"context_line":"      bash -c \u0027/usr/bin/mysqldump --opt --ignore-table mysql.event --all-databases --single-transaction -uroot -p\"$MYSQL_ROOT_PASSWORD\"\u0027 |"},{"line_number":152,"context_line":"      gzip -9 \u003e /var/backups/gitea-mariadb/gitea-mariadb.sql.gz"},{"line_number":153,"context_line":"    minute: 42"},{"line_number":154,"context_line":"    hour: 4"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"9fb8cfa7_9a551520","line":151,"updated":"2019-06-06 19:13:04.000000000","message":"This is a fun container thing -- this is actually in the environment of the command when run inside the container (every command run with \"docker exec\" gets the full environment specified in the docker-compose file, which contains this variable).\n\nSo the only place this can leak is inside the mariadb container, where every command running already has this var.","commit_id":"e832987fcab8d5af3c2c8665e2e9120aa9b3fe33"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e50d5b2ea0adf85eb8d24e7c952e69ed2d69193d","unresolved":false,"context_lines":[{"line_number":148,"context_line":"    user: root"},{"line_number":149,"context_line":"    job: \u003e"},{"line_number":150,"context_line":"      /usr/bin/docker-compose -f /etc/gitea-docker/docker-compose.yaml exec -T mariadb"},{"line_number":151,"context_line":"      bash -c \u0027/usr/bin/mysqldump --opt --ignore-table mysql.event --all-databases --single-transaction -uroot -p\"$MYSQL_ROOT_PASSWORD\"\u0027 |"},{"line_number":152,"context_line":"      gzip -9 \u003e /var/backups/gitea-mariadb/gitea-mariadb.sql.gz"},{"line_number":153,"context_line":"    minute: 42"},{"line_number":154,"context_line":"    hour: 4"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"9fb8cfa7_fa46917c","line":151,"in_reply_to":"9fb8cfa7_3a642922","updated":"2019-06-06 19:12:27.000000000","message":"The password is in the docker-compose file as an env var for that service. Running the docker-compose exec against that service gets us a shell with the password in the env var, but that is nested in the container. I\u0027m not 100% positive but I think any logs/cron email would log the outer command with the unexpanded $MYSQL_ROOT_PASSWORD and only the inner container context could log with the expanded value.\n\nSince the container is a throw away (I think) that should mostly be ok? It might show up in dockers log handling?","commit_id":"e832987fcab8d5af3c2c8665e2e9120aa9b3fe33"}]}