See Running Metabase in the Troubleshooting guide. In order for the Metabase container to read the files and use the contents as a secret, the environment variable name needs to be appended with a “_FILE” as explained above. We currently support the following environment variables to be used as secrets: POSTGRES_PASSWORD_FILE: /run/secrets/db_password MB_DB_PASS_FILE: /run/secrets/db_password
Notice the “_FILE” on the environment variables that have a secret): Put the db_user in the db_user.txt file, and db_password in the db_password.txt file. These files should be in the same directory as the docker-compose.yml. In addition to this example yml file, you’ll need to create two files: Here is an example docker-compose.yml file to start a Metabase Docker container with secrets to connect to a PostgreSQL database. In order to keep your connection parameters hidden from plain sight, you can use Docker Secrets to put all parameters in files so Docker can read and load them in memory before it starts the container. Use Docker Secrets to hide sensitive parameters
Note that Metabase will use this directory to extract plugins bundled with the default Metabase distribution (such as drivers for various databases such as SQLite), thus it must be readable and writable by Docker. mount type=bind,source=/path/to/plugins,destination=/plugins \
Here’s how to use a database file, owned by your account and stored in your home directory: These settings make it possible to match file permissions when files, such as the application database, are shared between the host and the container. In addition to the standard custom settings there are two docker specific environment variables MUID and MGID which are used to set the user and group IDs used by metabase when running in a docker container. You can use any of the custom settings from Customizing the Metabase Jetty Webserver by setting environment variables in your Docker run command.