Hi,
(please let me know if this is available, but from reading the engine source code snippets I could find it looked like something that was not implemented yet).
Docker’s secrets function and read only rootfs options are both excellent ways of securing containers, and I use them both wherever possible.
The trouble is they seem impossible to use together. I think the reason for this is that the set of secrets being exposed at the /run/secrets folder doesn’t appear to be implemented as a faked-volume, which is how it appeared. As a result the container fails on boot when first launched because it seems to try to copy the file into place on a read only root filesystem, which rejects the attempt like this:
⠋ Container server-setup-redis-1 Creating
Error response from daemon: container rootfs is marked read-only
For reference, my compose looked like this:
services:
redis:
image: redis:latest
read_only: true
volumes:
- /efs/data:/data
ports: ["6379"]
command: /bin/sh -c "redis-server --requirepass `cat /run/secrets/redis-password`"
secrets:
- redis-password
healthcheck:
test:
[
"CMD-SHELL",
"redis-cli --pass `cat /run/secrets/redis-password` ping | grep PONG",
]
interval: 1s
timeout: 1s
retries: 200
secrets:
redis-password:
environment: REDIS_PASSWORD
I’ve tried adding tmpfs volume mounts to the /run/secrets location and /run location, but these don’t have any effect.
Would it be possible to either
a) allow tmpfs mounting underneath these secrets in /run/secrets or
b) switch the secrets exposing implementation to being a faked volume folder at /run/secrets
so they can be used in combination with read-only rootfs ? Please ?
Thank you