python |
Pythonタグが付けられた新着投稿 - Qiita |
NuitkaでPlotlyをアプリケーション化する |
https://qiita.com/3ne4ge/items/313a8d7d432b0bcd8261
|
nuitka |
2022-09-24 22:53:18 |
python |
Pythonタグが付けられた新着投稿 - Qiita |
【PyTorch】Androidでの推論実行方法 Python編 |
https://qiita.com/ta-sr/items/984779da293432f58ee1
|
android |
2022-09-24 22:40:38 |
python |
Pythonタグが付けられた新着投稿 - Qiita |
scikit-learnで子豚検知モデルを作る |
https://qiita.com/hiratake_0108/items/6e21b7ddd0e23b166ea7
|
scikitlearn |
2022-09-24 22:05:27 |
js |
JavaScriptタグが付けられた新着投稿 - Qiita |
paizaラーニング レベルアップ問題集 Aランクレベルアップメニュー JavaScript 陣取りの結末 |
https://qiita.com/ZampieriIsa/items/f300f53e20942e03b775
|
javascript |
2022-09-24 22:15:22 |
Linux |
Ubuntuタグが付けられた新着投稿 - Qiita |
KVM ゲスト仮想マシンの肥大化したディスクイメージを最適化する 備忘録 |
https://qiita.com/naoyoshinori/items/49f676d4f0ac3b38cd35
|
sudovirshl |
2022-09-24 22:53:10 |
Linux |
Ubuntuタグが付けられた新着投稿 - Qiita |
Ubuntu Server 22.04 LTS アップグレード 備忘録 |
https://qiita.com/naoyoshinori/items/1af67ecc735a06b9f3ca
|
ubuntuserver |
2022-09-24 22:24:26 |
Docker |
dockerタグが付けられた新着投稿 - Qiita |
Windows11でWordPress環境を構築する(WSL2, Docker) |
https://qiita.com/az2410/items/ddce751c34806595d579
|
powershell |
2022-09-24 22:04:53 |
Azure |
Azureタグが付けられた新着投稿 - Qiita |
Azure Databricks のネットワーク設定 |
https://qiita.com/samskeyti/items/08985ba910fae726124e
|
ityclusterconnectivityscc |
2022-09-24 22:36:29 |
海外TECH |
DEV Community |
Continue Using .env Files As Usual. |
https://dev.to/wiseai/continue-using-env-files-as-usual-2am5
|
Continue Using env Files As Usual Table Of Content TOC Introduction Storing The env File Updating a secret config Versioning Why env file Securing an env file Advantages of using an env file Problems With Centralized Config Servers Conclusion Bonus For Linux Enjoyers Inroduction We all know that first impressions are essential The same goes for the first sentence of an article In fact it might be even more critical for an article because the first sentence is what will determine whether or not someone keeps reading But in the case of this article stating that working with large scale systems would make you eligible enough to write about the topic is quite funny This sentence has a psychological effect that makes readers feel like they are stupid and doomed assuming they are all working on Hello World kind of projects Needless to say as a reader you may start to wonder What in the world does he mean when he said he has worked on large scale systems I mean literally everyone is doing that nowadays I don t think it can be used as a unique selling point or anything nearly everyone has experience working with large scale enterprise systems Even the most junior engineer has likely worked on a system that processes millions of requests records daily So what makes working on large scale systems so unique What makes you think your experience is worth anything special You need to show that you have something unique to offer otherwise it s just another redundant sentence in your article But anyway let s move on Let s start by criticizing each point that looks like a problem with env files when in reality they are not problems at all but rather misconceptions Storing the env file Go To TOCEverything in linux is a file This section started by The problem is well It s a file Well I don t know about you and which OS you are currently using but everything in Linux is literally a file This includes devices processes sockets files pipes etc However the critical question is what s wrong with it If you think it is not a good idea to make everything in Linux a file including env vars then you have to invite Linus for a debate and discuss the drawbacks of this approach Provide your solution instead Additionally containers are based on Linux cgroups namespaces and other components which means that they are also built around the concept of everything being a file This makes Linux a very powerful os for running containers as everything can be easily managed and controlled via files Moreover everything in ks is also a file a YAML file This concept makes ks extraordinarily flexible and customizable You can literally configure anything you want and there are very few restrictions As the author is now working at Google he has the chance to discuss with the gods behind ks argue with them about the drawbacks of files and share his insights with us We would love to hear his thoughts on this matter Besides the question is Who is committing an env file to public repos Literally no one with at least two brain cells is willing to commit an env file as far as I know Some developers on github me included commits only templates of this file to help other understand the env vars used in a particular project There is a gitignore file in case you want to ignore that file from being committed that s the basics and everyone should be aware of that Even if you don t like to include a gitignore file for each new repo you can add a new entry in a global gitignore file so you don t have to worry about including that file each time when creating a new repo Now you may wonder well how to share the env with other developers And the answer goes like this If you re collaborating with other people on a project it s essential to keep your env file private so that only invited collaborators can see it e g create a private repo for the env file Updating a secret config Go To TOCI have never had access to updating a database password throughout my years working at companies This is because there is always someone responsible for managing databases Having access to update passwords would be a huge responsibility and could potentially lead to security breaches So having one person responsible ensures that passwords are kept up to date and secure It also means that if there is ever a problem with a password there is only one person who needs to be contacted to fix it This system may not be perfect but it is the best way to protect company data All I can get are env names and use them within the app That s it Nothing else This is why having a designated person is so important Not only does it make life easier for employees but it also helps keep everyone on the same page safe and secure Versioning Go To TOCEnvironment variables are not parts of the app code so there is no need to version them I have never used an app that keeps track of password history changes and I see no reason why this would be necessary They are just static values and don t change often But in any case if you want to apply versioning to an env file stored in a private repo you can release a new version for each value change Then the author proceeds to provide a solution to a problem that doesn t exist What s even funnier is that the solution leads to potential security risks So basically let someone else do it for you if you don t want to manage your secrets not to mention that the party you share with is a centralized place If it gets compromised everyone s secrets in the whole damn world will get exposed So everyone would instead have control over their secrets and not depend on third parties especially in case of sensitive information Why env file Go To TOCWe as developers use env files to store environment variables These files are not meant for use in production and should be removed ignored from the codebase before deploying it to production If you have ever worked with containerized apps you would know that The idea of having an env file in a repo is to have an example or template of the required env vars as a form of documentation that tells which variables are needed for this project They could have default values but as we all know they should never contain plain text credentials It is like telling other developers that X Y and Z are used in this app as env vars Having an env template file in a repo sets expectations for other developers and maintains best practices This would help new developers clone the repo and work with it without any hassle The application should then load this template env and look for other places to override these default values depending on the current environment This could be a env local file on the system already set system environment variables or variables from config storage If you ever used Jenkins or built a DevOps pipeline you probably encountered that We get it it is not a good idea to use env files in production because they can contain sensitive information like database passwords API keys and other credentials that should not be accessible to others However one thing you can do though is to take additional precautions to keep your env file or env vars secure and safe Securing an env file Go To TOCAn env file is not secure if it s being used for production purposes Anyone with access to the machine can view and modify it without permission However you can set permissions for this file I don t know about you but you can use the following command to secure your env file chmod envDoing so the env file can only be read by the owner and no one else You can use this command in a docker file if you need to copy it into the docker image But usually it is not encouraged to do so In the case of docker secrets can be used which are discussed later in the following sections If you have ever worked with laravel the chances of using the env file in production are high And that is ok as long as you keep it secure The following is a typical security practice used by Laravel developers Disable index viewoptions Indexes hide a Specific File lt Files env gt order allow denyDeny from all lt Files gt In docker you can import env variables with docker compose using the following command docker compose env file envOr you can specify the env file within the YAML file version services frontend image awesome webapp env file env path to your env fileIf you want to pass secrets then you can define a secrets section within the docker compose yaml file version services frontend image awesome webapp secrets server certificatesecrets server certificate file server certIf you are building a docker image you can create an env file to store secrets and mount the file to the container PYPI USER dev broPYPI PASS my super duper secret tokenNow you can load the env file and give it an id called my secret We can use this key in the next step to access the env Then modify your Dockerfile so that it mounts the secrets FROM python slim busterCOPY build script sh RUN mount type secret id my secret build script sh build script sh cat run secrets my secretNow you can build and inject the env into the docker image export DOCKER BUILDKIT docker build progress plain t my app secret id my secret src env no cacheNote that these env vars are not logged into the history so running the following command won t reveal the secrets docker history my app no trunc grep PYPI PASSFor more info about secrets in docker you can refer to this piece of docs Additionally if you are using ks there are API objects like ConfigMap to store config data and Secrets to store confidential data Or you can set env vars within a pod apiVersion vkind Podmetadata name dapi test podspec containers name test container image registry ks io busybox command bin sh c env env Define the environment variable name SPECIAL LEVEL KEY valueFrom configMapKeyRef The ConfigMap containing the value you want to assign to SPECIAL LEVEL KEY name special config Specify the key associated with the value key special how restartPolicy NeverI have worked on many projects some of which are open source In some projects like this one I used env vars to store my secrets within circleci to publish a new version to PyPi automatically Moreover for security reasons I have noticed that PyPi has implemented a feature to allow authentication with their servers through using api tokens without the need for passwords anymore So now you can store encrypted PyPi credentials within env vars If you ever built a pipeline with Azure DevOps you probably wanted to copy the env file into the docker image using Copy files task steps task DownloadSecureFile displayName Download secure file inputs secureFile env task CopyFiles displayName Copy Files to System DefaultWorkingDirectory inputs SourceFolder Agent TempDirectory Contents env TargetFolder System DefaultWorkingDirectory If you are using Jenkins you can inject env variables using plugins like envinjectSo as you can see it depends on the type of applications you are dealing with to follow the best practices to securely use an env file Advantages of using an env file Go To TOCThere are so many advantages to using env files or environment variables such as Ease of management Having worked on so many backend projects I find env files easy to manage because they are self explanatory and don t require additional documentation Simplicity env files simplify the task of managing different backends because it allows you to configure all the necessary settings for each backend in one place Debugging and testing It becomes easier because developers can modify a specific environment for each application Sharing env files templates like env example can be added to git repositories so other developers on the team know what environment variables were used for that project Problems With Centralized Config Servers Go To TOCSeveral potential problems can occur when using a centralized config server for an application If the server goes offline the app will not be able to start If the server updates and renames an environment variable that the app is not expecting the app may crash on the next restart Finally if the app is hosted offline it will not be able to start without an internet connection to load the env vars from outside Conclusion Go To TOCAt the end of the day env files and environment variables work fine and are simple enough for development purposes as long as you know how to use these files However it is totally up to you to choose the best approach that aligns with your personal preferences what works best for your particular application or system Bonus For Linux Enjoyers Go To TOCOn Linux if you want to print out a specific environment variable like LOGNAME of the current process then run the following command strings proc environ grep LOGNAMEAnd last but not least remember that everything in Linux is just a file including the command that you have just executed cat usr bin stringsNote This article is not meant to insult anyone by any means I just wanted to share it with everyone to clarify the situation with env and give some tips on how to use them Have a lovely weekend folks Cover image by Mike Souza on Flickr |
2022-09-24 13:46:35 |
北海道 |
北海道新聞 |
十勝管内167人感染 新型コロナ |
https://www.hokkaido-np.co.jp/article/735771/
|
十勝管内 |
2022-09-24 22:26:00 |
北海道 |
北海道新聞 |
母親の身元情報、適切管理に指針 内密出産、月末にも公表へ |
https://www.hokkaido-np.co.jp/article/735770/
|
内密出産 |
2022-09-24 22:20:00 |
北海道 |
北海道新聞 |
釧路管内146人、根室管内21人感染 新型コロナ |
https://www.hokkaido-np.co.jp/article/735723/
|
根室管内 |
2022-09-24 22:14:21 |
北海道 |
北海道新聞 |
日2―6西(24日) 日本ハム全球団に負け越し |
https://www.hokkaido-np.co.jp/article/735768/
|
日本ハム |
2022-09-24 22:13:00 |
北海道 |
北海道新聞 |
AIが再現 昭和の北大通 釧路町「アート展」25日まで |
https://www.hokkaido-np.co.jp/article/735769/
|
人工知能 |
2022-09-24 22:13:00 |
北海道 |
北海道新聞 |
3年ぶり バリの空気届ける 小樽出身の舞踊家・中谷さん 10月に道内公演 |
https://www.hokkaido-np.co.jp/article/735675/
|
道内 |
2022-09-24 22:09:21 |
北海道 |
北海道新聞 |
札幌五輪招致 汚職事件が影響の可能性 ローザンヌ大・シャプレ名誉教授 「世論の支持率重要」 |
https://www.hokkaido-np.co.jp/article/735683/
|
五輪招致 |
2022-09-24 22:08:09 |
北海道 |
北海道新聞 |
コロナ第8波とインフル 冬の同時流行警戒 政府分科会、10月にも対策 |
https://www.hokkaido-np.co.jp/article/735659/
|
減少傾向 |
2022-09-24 22:05:52 |
北海道 |
北海道新聞 |
登別明日と道科学大高が決勝進出 秋季全道高校軟式野球 |
https://www.hokkaido-np.co.jp/article/735765/
|
決勝進出 |
2022-09-24 22:04:00 |
北海道 |
北海道新聞 |
道南で82人感染 新型コロナ |
https://www.hokkaido-np.co.jp/article/735611/
|
道南 |
2022-09-24 22:04:22 |
コメント
コメントを投稿