Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Question about configuring FleetDM for Docker, specifically using Docker Swarm. The <https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md|documentation> for configuring the binary states `mysql_password` accepts a string but is it possible to provide a path to a file that contains the password, say to a Docker secret: `/run/secrets/fleetdm-mysql-password`? I assume the answer is it’s not supported currently but I wanted to ask.

Is it possible to get the secret into env vars? This is how secrets are handled by most systems I've deployed on.

I was hoping to avoid storing secrets in environment variables because it’s not best practice from a security standpoint

When we built Fleet we were trying to model after 12factor (<https://12factor.net/config>). If there's updated guidance on best practices I am open.

This <https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/|blog post> suggests that the recommendations by 12factor for storing secrets in env vars is not best practice from a security standpoint.

One potential solution I am thinking of is when <https://github.com/fleetdm/fleet/blob/master/server/datastore/mysql/mysql.go#L327|generating the MySQL connection string> check if the value in `conf.Password` is a valid file on disk, if so read the contents, if not treat it as is.

Thoughts on this approach?