To Reproduce
- Use Dokploy Cloud v0.29.12 with an Application deployed to a remote, single-node Docker Swarm server.
- Configure multiple runtime variables in the application's Environment tab. Include a harmless marker such as:
- Save the Environment configuration.
- Deploy or redeploy the application from Dokploy.
- Confirm that the deployment finishes successfully with status
done.
- Inspect the deployed service on the remote server without printing secret values:
docker service inspect <service> --format '{{ len .Spec.TaskTemplate.ContainerSpec.Env }}'
- Inspect only the harmless marker inside the running task:
docker exec <container> sh -lc 'if [ "$DOKPLOY_ENV_TEST" = "true" ]; then echo present; else echo missing; fi'
- Observe that the service environment count is
0 and the marker is missing.
- Add or change a variable in the Environment tab and redeploy again. The new task still receives no runtime variables.
This reproduced consistently across two Docker-image Applications on the same remote server. One application had a small environment block and the other had more than 30 configured entries; both new service specs ended with an empty environment array.
Current vs. Expected behavior
Current behavior
- Dokploy Cloud displays the saved variables correctly in the Environment tab.
- Deploy/redeploy completes successfully.
- The resulting remote Swarm service has:
TaskTemplate.ContainerSpec.Env: []
- Consequently, applications fail at startup when required configuration is absent.
- If an application also has a bind-mounted
.env file, it may appear to work while silently using stale file content instead of the Environment tab. Changes made in the Environment tab are still not received.
Expected behavior
- Every variable saved in the application's Environment tab should be applied to the remote Swarm service during deploy/redeploy.
- A deployment must not report success if the configured environment cannot be decrypted or parsed.
- If environment decryption fails, deployment should stop with an actionable error and preserve the last working service rather than replacing it with
Env: [].
- A file volume should not be required for runtime variables; the Environment tab should be usable as the sole configuration source.
Provide environment information
Operating System:
OS: Linux (remote VPS)
Arch: x86_64
Dokploy version: Dokploy Cloud v0.29.12
VPS Provider: Remote VPS provider (redacted)
Deployment target: Remote single-node Docker Swarm
Applications/services: Docker-image and Dockerfile Applications
Which area(s) are affected? (Select all that apply)
Application, Docker, Remote server, Cloud Version
Are you deploying the applications where Dokploy is installed or on a remote server?
Remote server
Additional context
Investigation
The saved Environment value is present when reading the Application configuration through Dokploy, and the same plaintext block parses correctly as dotenv syntax. However, immediately after a successful Dokploy deploy/redeploy, the remote service contains zero runtime environment entries.
This appears related to environment-at-rest encryption introduced in #4789. The exact failure path is described in closed PR #4816:
- Environment decryption fails and the ORM returns the raw versioned ciphertext beginning with
enc:v1:.
- The deployment path passes that value to dotenv parsing.
- The ciphertext is not a dotenv assignment, so parsing produces an empty object.
- The Swarm builder writes
TaskTemplate.ContainerSpec.Env: [].
- Deployment still reports success.
Because this occurs on Dokploy Cloud while dispatching to a remote deployment worker, a Cloud web/worker version mismatch or inconsistent ENCRYPTION_KEY / BETTER_AUTH_SECRET is a possible infrastructure trigger. That part is an inference and needs confirmation by the Dokploy team.
Workarounds currently verified
1. Directly restore the complete environment on the Swarm service
Applying the complete environment directly with docker service update restores the application:
docker service update \
--env-add KEY=value \
<service>
In practice, all required variables must be applied together; adding only one marker is unsafe for an application that requires many variables. Secret values should be supplied through a secure mechanism and must not be placed in shell history or logs.
This workaround is temporary: the next Dokploy deploy/redeploy removes the variables again.
2. Temporary bind-mounted .env file
A file volume mounted at the application's working-directory .env path allows runtimes that load dotenv files at startup to continue operating. After editing the file, the application must be reloaded so the process reads it again.
This is not the desired permanent solution because it duplicates the Environment tab, can become stale, and can hide the fact that the Swarm service environment is empty. The intended steady state is:
- Environment tab is the only runtime configuration source.
- “Create .env file” is disabled.
- No application
.env file volume is mounted.
- Deploy/redeploy reliably applies the saved variables.
The file-volume workaround cannot be safely removed until Environment propagation works again.
Suggested behavior/fix
At minimum, reject raw enc:v1: ciphertext before dotenv parsing and fail the deployment with an encryption-key consistency error, as proposed in #4816. The underlying Cloud worker key/version inconsistency should also be corrected so the worker can decrypt the environment block.
No logs, screenshots, names, IDs, domains, IP addresses, environment-variable values, or credentials are included in this report.
Will you send a PR to fix it?
No
To Reproduce
done.0and the marker is missing.This reproduced consistently across two Docker-image Applications on the same remote server. One application had a small environment block and the other had more than 30 configured entries; both new service specs ended with an empty environment array.
Current vs. Expected behavior
Current behavior
.envfile, it may appear to work while silently using stale file content instead of the Environment tab. Changes made in the Environment tab are still not received.Expected behavior
Env: [].Provide environment information
Which area(s) are affected? (Select all that apply)
Application, Docker, Remote server, Cloud Version
Are you deploying the applications where Dokploy is installed or on a remote server?
Remote server
Additional context
Investigation
The saved Environment value is present when reading the Application configuration through Dokploy, and the same plaintext block parses correctly as dotenv syntax. However, immediately after a successful Dokploy deploy/redeploy, the remote service contains zero runtime environment entries.
This appears related to environment-at-rest encryption introduced in #4789. The exact failure path is described in closed PR #4816:
enc:v1:.TaskTemplate.ContainerSpec.Env: [].Because this occurs on Dokploy Cloud while dispatching to a remote deployment worker, a Cloud web/worker version mismatch or inconsistent
ENCRYPTION_KEY/BETTER_AUTH_SECRETis a possible infrastructure trigger. That part is an inference and needs confirmation by the Dokploy team.Workarounds currently verified
1. Directly restore the complete environment on the Swarm service
Applying the complete environment directly with
docker service updaterestores the application:In practice, all required variables must be applied together; adding only one marker is unsafe for an application that requires many variables. Secret values should be supplied through a secure mechanism and must not be placed in shell history or logs.
This workaround is temporary: the next Dokploy deploy/redeploy removes the variables again.
2. Temporary bind-mounted
.envfileA file volume mounted at the application's working-directory
.envpath allows runtimes that load dotenv files at startup to continue operating. After editing the file, the application must be reloaded so the process reads it again.This is not the desired permanent solution because it duplicates the Environment tab, can become stale, and can hide the fact that the Swarm service environment is empty. The intended steady state is:
.envfile volume is mounted.The file-volume workaround cannot be safely removed until Environment propagation works again.
Suggested behavior/fix
At minimum, reject raw
enc:v1:ciphertext before dotenv parsing and fail the deployment with an encryption-key consistency error, as proposed in #4816. The underlying Cloud worker key/version inconsistency should also be corrected so the worker can decrypt the environment block.No logs, screenshots, names, IDs, domains, IP addresses, environment-variable values, or credentials are included in this report.
Will you send a PR to fix it?
No