Why Are MySQL Docker Containers Exposing Plaintext Passwords?

Introduction

Docker's application‑centric model attracted global attention and reduced operational costs, but its single‑process design also raises security concerns, especially for data‑storage containers such as MySQL.

Plaintext Password Issue

When a MySQL container is started with an environment variable like MYSQL_ROOT_PASSWORD=password, the password is stored in clear text.

docker run -d MYSQL_ROOT_PASSWORD=password mysql:5.6.22

The variable is used by MySQL during initialization, yet the plaintext remains in several locations.

Where the Plaintext Lives

Docker daemon memory (container object)

config.json file under /var/lib/docker/containers/<container_id>/config.json Container process environment (visible via docker exec ... env)

docker‑compose.yml files

Implications

Anyone with access to the Docker daemon or the host can retrieve the root password, compromising data security.

Mitigation

Use volumes to externalize data and avoid embedding passwords in environment variables; consider secret‑management tools to inject credentials securely.