database password is shown in ps!!!!

[f1-outsourcing]

Wtf!!!

root 2406755 2253348 0 13:10 pts/2 00:00:00 docker run -v /dev/log:/dev/log -u root -it --entrypoint /bin/bash --network host odoo:14
root 2425070 2406781 18 14:30 pts/0 00:00:00 /usr/bin/python3 /usr/bin/odoo --db_host db2.local --db_port 5432 --db_user odooappuser --db_password Zxxxxxxxxxya
root 2425088 2241712 0 14:30 pts/1 00:00:00 grep --color=auto odoo

[sbouillon]

Based off your previous issue you opened it’s pretty apparent you are new to Odoo. I’d suggest you take a look at the documentation at the main repo to get an understanding of what you are setting up.

https://github.com/odoo/odoo

[tom10271]

You can set options via odoo.conf

; https://www.odoo.com/documentation/13.0/reference/cmdline.html#configuration-file

[options]
; https://www.odoo.com/documentation/13.0/reference/cmdline.html#running-the-server
; Basic odoo-bin setting
without_demo = 1
addons_path = ./addons

; https://www.odoo.com/documentation/13.0/reference/cmdline.html#database
; Database
db_host = 127.0.0.1
db_port = 5439
db_user = odoo
db_password = myodoo
dbfilter = ^odoo.*$
db_name = odoo
no_database_list = 1

; https://www.odoo.com/documentation/13.0/reference/cmdline.html#developer-features
; Developer features
; dev = all

; https://www.odoo.com/documentation/13.0/reference/cmdline.html#logging
; Logging
logfile = /var/log/odoo.log
log_level = error

; https://www.odoo.com/documentation/13.0/reference/cmdline.html#multiprocessing
; Multiprocessing
;   Worker number calculation:
;       https://www.odoo.com/documentation/13.0/setup/deploy.html#worker-number-calculation
;       (#CPU * 2) + 1
;       1 worker ~= 6 concurrent users
workers = 5
;   Memory size calculation:
;       https://www.odoo.com/documentation/13.0/setup/deploy.html#worker-number-calculation
; limit_request =
; limit_memory_soft =
; limit_memory_hard =
; limit_time_cpu = 60
; limit_time_real = 120
; max_cron_threads = 2

; https://www.odoo.com/documentation/13.0/reference/cmdline.html#emails
; Email
email_from = no-reply@wow.com
smtp_server =
smtp_port =
smtp_user =
smtp_password =

[f1-outsourcing]

@tom10271 Who cares about that? You can also not run odoo or choose opencrx to run.

If you offer the use of environment variables, you should properly implement them.

[tom10271]

That's the reason why nobody care about you Mr. Genius. Keep creating issue Yeah!

[f1-outsourcing]

That's the reason why nobody care about you Mr. Genius. Keep creating issue Yeah!

How is that related to the issue?

[cjpit]

By using the configuration file, instead of passing as environment variables, means that you can ensure the db password is not listed . I found the same issue by default, here is an example, this is for my production build using podman and ansible, but its similar to docker compose etc. The key being the command and entrypoint overrides to specify using the conf file instead.

  containers.podman.podman_container:
    name: odoo-web
    image: odoo:14
    state: present
    command: --db_host=localhost --proxy-mode -c /etc/odoo/odoo.conf 
    entrypoint: odoo 
    pod: odoo_v14
    volume:
        - odoo-vol-web:/var/lib/odoo
        - odoo-vol-web-addon:/mnt/extra-addons
        - /home/odoo/odoo.conf:/etc/odoo/odoo.conf:Z
  become_user: odoo```

[f1-outsourcing]

@cjpit

You do not get the bigger picture. Unfortunately you have a lot of 'clueless users' that just deploy images in clouds, so it is out there for anyone to grab. And if I were to make and educated guess, most containers will have dedicated/vip's so never localhost.
So there is your breach and depending on what you have, you have to report it.

And it is not like everyone is implementing show password coding nowadays, and with data that is stored in crm applications you should be more vigilant, hence I reported it.

[llacroix]

@f1-outsourcing If you're still worried about password / security have a look here https://github.com/llacroix/odoo-docker

The image setups postgres using .pgpass file so it can be setup as a secret. In other words, you define the PGPASSFILE env variable and store it as a secret in docker swarm. the PGPASSFILE content won't be visible anywhere also since the content won't be visible in logs/env variables.

The images also setup a custom master password by default each times it starts to prevent having admin party by accident. The master password is in the logs if no DEPLOYMENT_AREA is defined. That said, I might make it explicit with a variable SHOW_MASTER_PASSWORD as it's a bit confusing. It's useful to start a new environment without having to search for the master password and also safe since a master password is always defined, but can be defined using secrets also.

[jladage]

Let's try this in a professional way. Since this issue is still open I guess my feedback is welcome. First I'd like to say that it's not effective to throw WFT's in issues. Most people are trying to do what's best and I'm thankful for Odoo and it's community to make contributions. Please keep it decent. That said, I agree with f1-outsourcing that providing the password at the command-line exposing it in ps and if you install sentry, having the password sent there as well, you have to admit that that is not a proper way to run any service.

There are multiple ways to deal with passwords, Docker Secrets in Swarm mode can provide containers with secrets only mounted in a in-memory temp filesystem. But that won't help with the current entry_point.sh implementation. There's docker configs which allows you to substitute docker secrets in a template config file. That way totally no secrets are exposed at all. But I guess one doesn't want to impose the use of Docker Swarm.

Looking at the entry_point.sh this issue can be prevented simply by adding some lines to verify if all arguments are found in the odoo.conf, and if so add -c config/odoo.conf as an argument to odoo-bin and instead of the individual arguments.

That way you don't have to use env vars, and it won't be exposed to ps or sentry, but you still have an unencrypted password on filesystem. I could live with that, though.

If this is not an option, I'd like to understand why. As an alternative you could also build your own image using an entry-point.sh that calls odoo with -c config/odoo.conf.

I hope this makes things a bit more clear and I would like to get a response to why Odoo chooses this way though, just so I can understand, it might be that I'm overlooking something.

[f1-outsourcing]

@f1-outsourcing If you're still worried about password / security have a look here https://github.com/llacroix/odoo-docker

The image setups postgres using .pgpass file so it can be setup as a secret. In other words, you define the PGPASSFILE env variable and store it as a secret in docker swarm. the PGPASSFILE content won't be visible anywhere also since the content won't be visible in logs/env variables.

The images also setup a custom master password by default each times it starts to prevent having admin party by accident. The master password is in the logs if no DEPLOYMENT_AREA is defined. That said, I might make it explicit with a variable SHOW_MASTER_PASSWORD as it's a bit confusing. It's useful to start a new environment without having to search for the master password and also safe since a master password is always defined, but can be defined using secrets also.

Nice, but currently I am evaluating suitecrm, it looks like these guys have a proper multi role / security / company working. I also need to have full pbx integration, which is still not default in odoo (afaik).
But having said this, I have to admit that also at suitecrm there is some rookie crap in coding and the database.

[f1-outsourcing]

Let's try this in a professional way. Since this issue is still open I guess my feedback is welcome. First I'd like to say that it's not effective to throw WFT's in issues. Most people are trying to do what's best and I'm thankful for Odoo and it's community to make contributions. Please keep it decent. That said, I agree with f1-outsourcing that providing the password at the command-line exposing it in ps and if you install sentry, having the password sent there as well, you have to admit that that is not a proper way to run any service.

Professional in my opinion means on topic, and not whining about the language that is being used, nor issue templates if the information shown is sufficient.

I hope this makes things a bit more clear and I would like to get a response to why Odoo chooses this way though, just so I can understand, it might be that I'm overlooking something.

They will explain nothing, this is just the 'thinking' level that they operate at. I am not sure if they still have this upgrade tool where you send all your contact information to India(?) which violates almost every privacy legislation there is. If you create such things, your thinking is just different.
If you look at a project like opencrx, these guys know how to make databases, but the gui is just terrible. Their business model is customizing a gui for you. ;)

[llacroix]

@f1-outsourcing yeah thanks. That said, the docker image isn't being updated much lately as I'm moving to better a much improved way to run odoo and obviously to make docker images that is way more powerful than my current fork. And quite possibly I'll make it split from the odoo/docker repository because there won't be anything in common anymore.