Docker compose error - error mounting - when using podman secret

I create the secret with podman secret create , i see the secret created properly (podman secret ls )
then I try to use it inside the docker-compose.yml .
when I try to run docker-compose up , I get the following error:

Error response from daemon: runc: runc create failed: unable to start container process: 
error during container init: error mounting "/var/lib/some-dir/tmp/secret_name.sec" 
to rootfs at "/run/secrets/secret_name": 
open /var/lib/containers/storage/overlay/b3eaa7599a7376c1c989bd7861859db208cbfb962d274bb640accfe62e7185a0/merged/run/secrets/secret_name: 
read-only file system: OCI runtime error

am i doing something wrong?


Wait, why are you trying to use podman to create a secret for Docker containers? Are you really using Docker and not podman with an alias named as “docker” pointing to podman? Can you share the content of the compose file? At least the relevant part.

thanks for your comment .
I create podman image and expect docker compose to create podman containers from this image
I am also trying to pass secrets to this container(first i try with external secret , but i undetstood that it not supported ,only on swarm mode, so i try with files)
I am using podman without alias of docker .
this is the relevant part :

    image: my-image:1.1.0
    user: ${USER}:otheruser    
      - PASSRORD_X_FILE=$DIR/tmp/password_a
      - TZ=${TIMEZONE}    
      - ${DIR}/tmp:/tmp      
      - /run/secrets/
      - type: tmpfs
        target: /dev/shm
          size: 1000000000
      - password_a
    read_only: true

    file: $DIR/tmp/password_a

can you please wrap your compose file into a preformated text block, either add [code]before and [/code] after the contend, or use ``` before and after instead.

What is a podman image? Doesn’t it depend on buildah to create oci images? Docker uses buildkit under the hood to create oci images. Though, It shouldn’t matter which tool is used to create an oci image. It also shouldn’t matter which container runtime is unsed to create a container from an oci image.

docker-compose is a client for the docker api, which by default is accessible through the unix domain socket /run/docker.sock (and/or /var/run/docker.sock). Podman needs to create the unix domain socket at the same location pointing to its own docker complient api, for docker-compose to properly work.

Docker-compose does not really do secrets, as the result is technically not distinguishable from a read-only bind.

this is how i create the image with podman load
podman load --input some_tar.tar

I assumed create means build. But instead you just load (actually import) an image into the image cache from a tar.

Though, it doesn’t matter how the oci image gets into the local image cache.

Thank you for reformatting your compose file! It helps a lot with the readability.

I forget to mention one important thing. docker-compose (=v1) is deprecated. It is superseded by the v2 docker-cli plugin.

If you feel docker-compose (=v1) or docker compose (=v2) should work with podman, the same way they work with the docker engine they were designed for, you might want to raise an issue in Podman’s Github project and report how the docker engine behaves for your specific use case, and how podman behaves differently for it.

1 Like