Why Are MySQL Docker Containers Exposing Plaintext Passwords?
This article examines how MySQL containers run with Docker often expose root passwords in clear text through environment variables, detailing where the plaintext is stored, the security risks involved, and practical steps to mitigate the vulnerability.
Introduction
Docker's application‑centric model attracted global attention and reduced operational costs, but its single‑process design also raises security concerns, especially for data‑storage containers such as MySQL.
Plaintext Password Issue
When a MySQL container is started with an environment variable like
MYSQL_ROOT_PASSWORD=password, the password is stored in clear text.
<code>docker run -d MYSQL_ROOT_PASSWORD=password mysql:5.6.22</code>The variable is used by MySQL during initialization, yet the plaintext remains in several locations.
Where the Plaintext Lives
Docker daemon memory (container object)
config.json file under
/var/lib/docker/containers/<container_id>/config.jsonContainer process environment (visible via
docker exec ... env)
docker‑compose.yml files
Implications
Anyone with access to the Docker daemon or the host can retrieve the root password, compromising data security.
Mitigation
Use volumes to externalize data and avoid embedding passwords in environment variables; consider secret‑management tools to inject credentials securely.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.