Running Disco inside a container is recommended for increased security. It allows storing the encryption key as a secret, which protects against exposing it to the shell history and other running host processes.
The following are instructions for setting up this workflow.
- Install Podman and podman-compose.
Note
While this workflow can be done with Docker, we recommend using Podman instead. The secret functionality in Docker requires enabling Swarm mode, which is not required (or supported) in Podman. Podman can also be used without root permissions, though running it as root is an additional layer of security, since it requires typing the sudo password.
-
Pull the image of the latest stable version of Disco:
podman pull docker.io/hackfixme/disco:latest
-
Initialize Disco, creating a Podman volume so that the data is persisted between runs, and at the same time create a Podman secret from the output:
podman run --rm -it --volume disco:/opt/disco hackfixme/disco:latest init \ | tee /dev/tty | head -1 | sed 's:.* ::' | podman secret create disco_key -
You can also manually copy the key and create a secret, but this way avoids storing the key in your clipboard, or risking the key being stored in your shell history, as explained in the warning here.
-
Clone the Disco repository, or copy the
docker-compose.ymlfile locally, and run:podman-compose up
This will create the pod needed for subsequent commands. This only needs to be run once.
-
Run Disco commands as usual, e.g.:
podman-compose run --rm disco set key valueYou can set this as an alias for convenience:
alias discon='podman-compose run --rm disco'
Note that if you want to run the web server, you might want to pass the
--service-portsoption topodman-compose, in order to expose the server ports to the host network. So the full command should be:podman-compose run --rm --service-ports disco serve