Injecting configuration settings as environment variables is the approach to application configuration recommended by the 12 factor appwebsite.

将配置设置作为环境变量注入是12 因子应用程序网站推荐的应用程序配置方法。

• http://12factor.net/config

• http://12factor.net/config

Alternatively you could create your own container that reads it's configuration from custom configuration file:

或者，您可以创建自己的容器，从自定义配置文件中读取其配置：

docker run -d mydockerapp --config mydevconfig.yaml

But really the use of environment variables has the edge in terms of flexibility because it is ubiquitous across all platforms. To make environment variables more palatable you could specify them within a file. This at least will ensure a malicious user on the same machine could not glean credentials from a process listing:

但实际上，环境变量的使用在灵活性方面具有优势，因为它在所有平台上无处不在。为了使环境变量更可口，您可以在文件中指定它们。这至少将确保同一台机器上的恶意用户无法从进程列表中收集凭据：

$ cat env.db 
POSTGRES_DB=myappdb
POSTGRES_USER=admin
POSTGRES_PASSWORD=pleasechangeme

$ docker run --name postgres --env-file=env.db -d postgres

Finally, I discovered that there are a number of outstanding feature requests for better secret support by docker:

最后，我发现有许多突出的功能要求 docker 提供更好的秘密支持：

• https://github.com/docker/docker/issues/13490

• https://github.com/docker/docker/issues/13490

In my experience convenience has a habit of trumping security, so I imagine it will take time for an acceptable solution to gain sufficient mind-share. Personally I forsee a solution emerging that emulates what the Kubernetes project is doing with encrypted data volumes:

根据我的经验，便利有一种胜过安全的习惯，所以我想一个可接受的解决方案需要时间才能获得足够的思想共享。我个人认为会出现一种模拟 Kubernetes 项目对加密数据量所做的事情的解决方案：

• https://kubernetes.io/docs/concepts/configuration/secret/

• https://kubernetes.io/docs/concepts/configuration/secret/