Context:
As my Node.js project grows larger, the need for configuration increases. This project is the first project where I have switched from a 'legacy configuration file' (say, a config.js or config.json) to a dotenv (.env) file to configure the product.
However, the sheer amount of environment variables used raises a question. These environment variables are all related to OS and networking configuration, so it seems justified to configure the application with the dotenv technique.
Question:
Say there is one environment variable already set; that would mess up the configuration. A practical example of this would be when you upload a project to some of the bigger (cloud) hosts: the PORT environment variable of the machine is set, and may therefore override a default value (see example below), or a value that you might expect. For a system administrator, these errors would be hard to debug.
const PORT = process.env.PORT || 3000
How does one deal with these pitfalls?
Current situation:
I am currently using [name of product]_[name of variable] as template for my environment variables. It feels like a hack (remember private members in JS?) and there is most likely a better solution available.
The second option I have in mind is to be very explicit in the .env files by settings all variables used in the product. However, reliability seems to be a weak spot here: if someone were to remove one setting, the entire "defense mechanism" is gone and the product is vulnerable to these bugs again.
Related
I did search, but didn't find exactly what I'm looking for. In the past, I've had multiple Puppet masters, one for each environment, then made scripts to promote code from one environment to the next on a monthly basis, but that process is a pain. I'm currently working on a single Puppet Master and am trying to take advantage of the environments feature but don't want the default environment set to production. This should be simple, but I've not yet worked out the solution. Without needing to set environments in the agents, how do I set the default environment on the master to "quarantine"? I'm running puppetserver 7.9.2.1 on Oracle Linux 8.
Without needing to set environments in the agents, how do I set the default environment on the master to "quarantine"?
This is the environment setting in the main puppet.conf configuration file. For [agent] configuration it specifies which environment the agent should request (which is not necessarily the one it gets), but for [server] configuration it specifies the default environment assigned when the agent does not request one and none is provided by the node terminus.
Example:
# ...
[server]
environment = quarantine
# ...
Because it has different significance to different Puppet components, you should avoid specifying this setting in the [main] section. You can meaningfully specify different values for this setting in different sections.
Although that answers what you actually asked, it might not be what you really want. Note well that the default environment set at the server will be overridden if a client requests a specific environment. If you want to prevent your Puppet clients from (successfully) specifying their own environments then you will want to set up an external node classifier that specifies at least the environment for each node. And if you have that, then whatever default you set in puppet.conf will be moot.
I am building a relatively complex distributed Node system. Let's say there are two processes (node apps), A and B. They are defined in separate projects.
In addition, there are a couple of custom made node modules, being used in both A and B. Let's call them M and N. In addition, M is using N.
How should I correctly handle environment vars?
I guess I should define .env for both main processes (A and B), handle all ENV vars from there and simply pass the needed env vars from there, down to M and N. This way, M and N (and other internal modules) will receive their own ENV vars passed as parameters on creation.
Is this approach correct?
Having modules getting direct access to process.env is not a good idea, and modules having their own .env file is an even worse idea.
.env files should not be added to source control (ie git) because they change with the environment (dev, prod, pre-prod) and sometimes contains sensitive information (like AWS secret keys). So that would require you to paste a .env file each time you install your node_modules making your deployment process more complex.
The .env file loaded inside your module could merge in unexpected ways with the .env of your root app (remember there is only one process.env).
Imagine a case where your module would need to behave differently in two parts of your application. How would you override the data loaded via the .env file only in one place?
So in my opinion, your guess is correct: don't put .env in node_modules.
// This is better...
nModule.someMethod(process.env.PARAM1, process.env.PARAM2);
// ...than this
process.env.PARAM1 = '';
process.env.PARAM2 = '';
nModule.someMethod();
I feel strongly that environment variables are reserved for, well, the environment. This to me implies a few things:
Inside the code, these variables should be global, i.e., accessed only via process.env.
They are not passed down to other modules. Certainly it's a good idea to make dependencies customizable with parameters you can pass to the functions they export. But the environment should not be used for that.
How you load values into process.env is really a question of how you start your programs A and B. I personally prefer systemd services for that which have excellent support for defining the runtime environment. The dotenv package seems more like a crutch, but it's fine from the program's perspective.
Your approach sounds correct and it should work. When you define .env file and use dotenv package, you will be able to access all the variables inside .env in your code. That means that custom made node modules will also be able to access it, and you don't have to pass them anything (you can access them directly with process.env.NAME_OF_ENVIRONMENT_VARIABLE).
SUMERIZE: Create .env file in both A and B, use dotenv package, and then you can access environment variables directly inside the code with process.env.NAME_OF_ENVIRONMENT_VARIABLE (in custom node modules also). You can create constructor (for custom modules) in modules A and B, and just pass process.env.ENV_WHATEVER as a parameters. That is even better approach since your custom module's logic will be independent from the rest of the app (it will depend only on the input).
NOTE: Don't commit your .env to Git since .env usually have some confidential information. The best practice is to create a .gitignore file and add .env in it.
RECOMMENDATION You can keep all your .env files in one centralized place for better management. You can check some password management tools like https://www.dashlane.com/ or https://www.lastpass.com/.
You mentioned complex distributed system. Distribution can also be associated with a hub / centralized key/variable management system. I'm assuming there are many env variables that are shared across your multiple apps.
Isn't it a plus if you create a centralized node that contain all your required variables and protected them with authentication?
All nodes (regardless of app) to maintain only a single password string in order to authenticated with the centralized node, and load all required variables from a single .env file.
Alternatively you can use a system like vault
I'm new to NodeJS and trying to understand the internal working of the system. Normally we create a .env file or some other configuration file to keep and manage secrets. The same environment values can be kept at the system level like using "export" command on mac.
what I'm trying to understand is how NodeJS loads and reads these value when we start the program either from a configuration file or from system itself.
You can dig through the NodeJS source code to actually see how the environment is provided to NodeJS, e.g. here through the RealEnvStore class. As you can see uv_os_getenv abstracts access to the env depending on the actual operation system.
At least on unix systems uv_os_getenv uses the environ variable which basically references all the environment variables that are made available to the node process as you can see here.
Is it possible to inject/change the current enviroment variables in an already loaded and started NodeJS process?
Exposing an Interface within the application is not an option, restarting is also not a valid option.
The process is running inside a docker container, requiring a specific NodeJS Version is possible.
EDIT: The change must be done from outside the application source so doing process.env.ENV_VAR = "new env" is not possible.
It isn't possible to modify the env vars of a running process. This isn't unique to NodeJS processes. It's just how env vars work on UNIX like operating systems. The vars live within the address space of the process. And while they are, typically, initially placed at a well known location near the top of the stack the current vars are likely to be at an arbitrary address in the heap. Env vars are intentionally private to each process. So unless the program provides an API for changing its env vars you can't modify them once the program is running.
You should use a redis store shared between containers that has stored the env.
redis node repo - redis listen for changes
Sometimes I don't have access to app let's say in my Database Pool singleton and I need a way to detect the environment while instantiating pools and other resources etc, retrieve development or production configs.
I tried to lookup process object and process.env but couldn't find much.
Wondering if there's another way to detect the environment, I came across passing variables when running app.js but it's not possible in the production environment, so any other suggestions please.
or as a last resort, I'll add a variable to process.env object in a cautious manner.