harsil
(Gurmit456)
January 7, 2021, 7:36pm
1
My docker compose file looks like below:
rabbitmq:
image: rabbitmq:latest
volumes:
- type: volume
source: rabbit_mq_data
target: /var/lib/rabbitmq
secrets:
- source: rabbitmq_private_cert_key.pem
mode: 0444
- source: rabbitmq_cert.pem
mode: 0444
- source: rabbitmq_root_ca.pem
mode: 0444
And when I look at the mounted secrets in running container the permission looks like below:
ls -l /run/secrets/
total 16
-rw-r--r-- 1 1000 1000 1931 Jan 7 11:52 rabbitmq_cert.pem
-rw------- 1 1000 1000 5174 Jan 7 19:19 rabbitmq_private_cert_key.pem
-rw-r--r-- 1 1000 1000 1960 Jan 6 18:43 rabbitmq_root_ca.pem
For secret- rabbitmq_private_cert_key.pem only root user has read access. I’m not able understand why docker is giving different permission to a specific secret? Mode value does not seems to have any impact on mounted secret file.
My docker version is: 20.10.1
I’ll appreciate any help.
meyay
(Metin Y.)
January 7, 2021, 8:23pm
2
The long syntax is not supported during docker-compose deployments. You should have received a warning per secret… With docker-compose the mode of each file on the host will be retained. The long syntax works as expected with docker swarm (=docker stack deploy) deployments.
Example docker-compose.yml:
version: '3.6'
secrets:
secret777:
file: "./secret.txt"
secret666:
file: "./secret.txt"
secret644:
file: "./secret.txt"
secret444:
file: "./secret.txt"
secret400:
file: "./secret.txt"
services:
ubuntu:
image: ubuntu:18.04
deploy:
restart_policy:
condition: none
secrets:
- source: secret777
target: /custom/path/secret777.txt
uid: '1000'
gid: '1000'
mode: 0777
- source: secret666
target: /custom/path/secret666.txt
uid: '1000'
gid: '1000'
mode: 0666
- source: secret644
target: /custom/path/secret644.txt
uid: '1000'
gid: '1000'
mode: 0644
- source: secret444
target: /custom/path/secret444.txt
uid: '1000'
gid: '1000'
mode: 0444
- source: secret400
target: /custom/path/secret400.txt
uid: '1000'
gid: '1000'
mode: 0400
command: ls -l /custom/path
Steps to test:
echo "topsecret" > secret.txt
docker stack deploy -c docker-compose.yml secret
docker service logs secret_ubuntu
docker stack rm secret
Output of service logs:
If you use docker-compose up
instead, the output will look like this:
me@swarm1:~/secrets$ docker-compose up
WARNING: Service “ubuntu” uses secret “secret777” with uid, gid, or mode. These fields are not supported by this implementation of the Compose file
WARNING: Service “ubuntu” uses secret “secret666” with uid, gid, or mode. These fields are not supported by this implementation of the Compose file
WARNING: Service “ubuntu” uses secret “secret644” with uid, gid, or mode. These fields are not supported by this implementation of the Compose file
WARNING: Service “ubuntu” uses secret “secret444” with uid, gid, or mode. These fields are not supported by this implementation of the Compose file
WARNING: Service “ubuntu” uses secret “secret400” with uid, gid, or mode. These fields are not supported by this implementation of the Compose file
WARNING: The Docker Engine you’re using is running in swarm mode.
Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.
To deploy your application across the swarm, use docker stack deploy
.
Creating network “secrets_default” with the default driver
Pulling ubuntu (ubuntu:18.04)…
18.04: Pulling from library/ubuntu
Digest: sha256:fd25e706f3dea2a5ff705dbc3353cf37f08307798f3e360a13e9385840f73fb3
Status: Downloaded newer image for ubuntu:18.04
Creating secrets_ubuntu_1 … done
Attaching to secrets_ubuntu_1
ubuntu_1 | total 20
ubuntu_1 | -rw-rw-r-- 1 1001 1001 5 Jan 7 19:46 secret400.txt
ubuntu_1 | -rw-rw-r-- 1 1001 1001 5 Jan 7 19:46 secret444.txt
ubuntu_1 | -rw-rw-r-- 1 1001 1001 5 Jan 7 19:46 secret644.txt
ubuntu_1 | -rw-rw-r-- 1 1001 1001 5 Jan 7 19:46 secret666.txt
ubuntu_1 | -rw-rw-r-- 1 1001 1001 5 Jan 7 19:46 secret777.txt
the output of ls -l:
The owner and permission mask matches the one you saw in the docker-compose deployment.
if change the permission mask or the owner on the host, you will see the change in the container as well.
harsil
(Gurmit456)
January 7, 2021, 9:39pm
3
Thank you for detailed response. My problem is solved by setting the correct permission flags on the host.
I was using docker-compose to deploy on the dev machine. I missed the warning but yes they are being produced.