Feature request: ability to use secrets with read only rootfs

Hi,

(please let me know if this is available, but from reading the engine source code snippets I could find it looked like something that was not implemented yet).

Docker’s secrets function and read only rootfs options are both excellent ways of securing containers, and I use them both wherever possible.

The trouble is they seem impossible to use together. I think the reason for this is that the set of secrets being exposed at the /run/secrets folder doesn’t appear to be implemented as a faked-volume, which is how it appeared. As a result the container fails on boot when first launched because it seems to try to copy the file into place on a read only root filesystem, which rejects the attempt like this:

⠋ Container server-setup-redis-1 Creating
Error response from daemon: container rootfs is marked read-only

For reference, my compose looked like this:

services:
  redis:
    image: redis:latest
    read_only: true
    volumes:
      - /efs/data:/data
    ports: ["6379"]
    command: /bin/sh -c "redis-server --requirepass `cat /run/secrets/redis-password`"
    secrets:
      - redis-password
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "redis-cli --pass `cat /run/secrets/redis-password` ping | grep PONG",
        ]
      interval: 1s
      timeout: 1s
      retries: 200

secrets:
  redis-password:
    environment: REDIS_PASSWORD

I’ve tried adding tmpfs volume mounts to the /run/secrets location and /run location, but these don’t have any effect.

Would it be possible to either
a) allow tmpfs mounting underneath these secrets in /run/secrets or
b) switch the secrets exposing implementation to being a faked volume folder at /run/secrets

so they can be used in combination with read-only rootfs ? Please ?

Thank you

Docker secrets are exclusive to swarm services. Real secrets are listed by docker secrets ls. The only thing that is secret is that they are encrypted at rest in the swarm raft logs of the swarm cluster nodes.

Docker compose on the other hand just mimics secrets, without actually being real secrets. Those are already fake secrets as their content is already plain text available on the docker host :slight_smile: Though, mimicking secrets allows deploying compose files aimed for swarm stack deployments with docker compose without raising errors.

Since this is a community forum, I doubt the developers will actually see your post here.
If you want the devs to see your feature request, it needs to be posted either in https://github.com/docker/compose/issues, or in https://github.com/moby/moby/issues.

I am unsure whether this should be posted in the compose or the moby project, as compose just mimics something that is build into swarm services, and does not exist for plain docker containers.

3 Likes