Update Docker_GUI_Managers/dockhand/README.md

2026-01-24 18:26:16 +00:00
parent ceba0d7d70
commit 79bd7f61c9
1 changed files with 152 additions and 2 deletions
@@ -1,5 +1,6 @@
 Source: https://dockhand.pro/
 # Deploy
 Must have Docker installed: https://wiki.gabesville.com/books/docker/page/install-docker
 Run the docker command to install and run Dockhand:
@@ -9,7 +10,7 @@ Go to http://IPADDRESS:3000 to access
 If firewall(UFW) is enabled you may need to allow port 3000 (test first before creating the rule)
-For updating:
+# Updating
 1. CD to location you want the update script created
 2. `sudo nano update-dockhand.sh`
 3. Copypasta into file:
@@ -22,4 +23,153 @@ sleep 10s
 sudo docker run -d -p 3000:3000 --name dockhand --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /srv/docker/dockhand/dockhand_data:/app/data fnsys/dockhand:latest
 ```
 4. `sudo chmod u+x update-dockhand.sh`
-5. to run: `bash update-dockhand.sh`
+5. to run: `bash update-dockhand.sh`
 # How variables and secrets are handled:
 This document summarizes how environment variables and secrets behave when using **Dockerhand** to deploy a stack from a `compose.yaml` and `.env` file.
 ---
 ## Mental Model
 Dockerhand has **two different injection mechanisms**:
 | Type                | When injected            | Usable in `${VAR}` | Available in container |
 |---------------------|--------------------------|--------------------|------------------------|
 | **Variables**       | Before `docker compose`  | ✅ Yes             | ✅ Yes                 |
 | **Secrets**         | At container runtime     | ❌ No              | ✅ Yes                 |
 **Key takeaway:**
 > Dockerhand secrets do **not** participate in Docker Compose variable interpolation.
 ---
 ## `.env` File Usage
 Use `.env` for:
 - Non-secret defaults
 - Local development
 - Structural configuration
 Example:
 ```env
 DB_USERNAME=postgres
 DB_HOSTNAME=database
 DB_PORT=5432
 DB_DATABASE_NAME=immich
 IMMICH_VERSION=release
 UPLOAD_LOCATION=/mnt/media
 ⚠️ Do not rely on .env for secrets in production.
 ❌ What Does NOT Work (Common Pitfall)
 This fails when DB_PASSWORD is marked as a secret in Dockerhand:
 environment:
  DB_PASSWORD: ${DB_PASSWORD}
 Reason:
 Secrets are injected after Compose parsing
 ${DB_PASSWORD} resolves to empty
 ✅ Correct Pattern for Dockerhand Secrets
 Rule
 Never interpolate secrets with ${VAR}.
 Declare the variable name only.
 compose.yaml (Canonical Pattern)
 Application container (e.g. Immich)
 services:
  immich-server:
    env_file:
      - .env
    environment:
      DB_USERNAME:
      DB_PASSWORD:
      DB_HOSTNAME:
      DB_PORT:
      DB_DATABASE_NAME:
 Database container (Postgres)
 services:
  database:
    environment:
      POSTGRES_USER:
      POSTGRES_PASSWORD:
 Dockerhand Configuration
 Variables (non-secret)
 DB_USERNAME=postgres
 POSTGRES_USER=postgres
 Secrets
 DB_PASSWORD=********
 POSTGRES_PASSWORD=********
 ✔ Secrets are injected by name
 ✔ Containers receive them at runtime
 ✔ No ${VAR} expansion involved
 Why This Works
 Compose does not attempt interpolation
 Dockerhand injects secrets directly into container environments
 Applications read expected variables normally
 No accidental empty passwords
 No secret leakage via docker inspect
 Postgres-Specific Notes
 POSTGRES_PASSWORD is only used on initial DB creation
 Existing volumes require password changes via:
 ALTER USER postgres WITH PASSWORD 'newpassword';
 Authentication failures can be misleading when the app receives an empty password
 Debugging Checklist
 If authentication fails:
 Confirm secret is not interpolated (${VAR})
 Confirm variable name matches what the app expects
 Check inside container:
 env | grep PASSWORD
 Check Postgres logs for auth method (scram-sha-256)
 TL;DR
 .env = defaults & structure
 Dockerhand variables = safe overrides
 Dockerhand secrets = runtime injection only
 Never use ${VAR} for secrets
 Declare env var names and let Dockerhand fill them
 Final Rule to Remember
 If it’s marked as a secret in Dockerhand,
 Compose must never try to expand it.