Docker Community Forums

Share and learn in the Docker community.

Only root user has access to the secret

My docker compose file looks like below:

rabbitmq:
   image: rabbitmq:latest
   volumes: 
     - type: volume
       source: rabbit_mq_data
       target: /var/lib/rabbitmq
   secrets:
     -  source: rabbitmq_private_cert_key.pem
        mode: 0444
     -  source: rabbitmq_cert.pem
        mode: 0444
     -  source: rabbitmq_root_ca.pem
        mode: 0444

And when I look at the mounted secrets in running container the permission looks like below:

ls -l /run/secrets/
total 16
-rw-r--r-- 1 1000 1000 1931 Jan  7 11:52 rabbitmq_cert.pem
-rw------- 1 1000 1000 5174 Jan  7 19:19 rabbitmq_private_cert_key.pem
-rw-r--r-- 1 1000 1000 1960 Jan  6 18:43 rabbitmq_root_ca.pem

For secret- rabbitmq_private_cert_key.pem only root user has read access. I’m not able understand why docker is giving different permission to a specific secret? Mode value does not seems to have any impact on mounted secret file.
My docker version is: 20.10.1
I’ll appreciate any help.

The long syntax is not supported during docker-compose deployments. You should have received a warning per secret… With docker-compose the mode of each file on the host will be retained. The long syntax works as expected with docker swarm (=docker stack deploy) deployments.

Example docker-compose.yml:

version: '3.6'

secrets:
   secret777:
     file: "./secret.txt"
   secret666:
     file: "./secret.txt"
   secret644:
     file: "./secret.txt"
   secret444:
     file: "./secret.txt"
   secret400:
     file: "./secret.txt"

services:
   ubuntu:
     image: ubuntu:18.04
     deploy:
      restart_policy:
        condition: none
     secrets:
     - source: secret777
       target: /custom/path/secret777.txt
       uid: '1000'
       gid: '1000'
       mode: 0777
     - source: secret666
       target: /custom/path/secret666.txt
       uid: '1000'
       gid: '1000'
       mode: 0666
     - source: secret644
       target: /custom/path/secret644.txt
       uid: '1000'
       gid: '1000'
       mode: 0644
     - source: secret444
       target: /custom/path/secret444.txt
       uid: '1000'
       gid: '1000'
       mode: 0444
     - source: secret400
       target: /custom/path/secret400.txt
       uid: '1000'
       gid: '1000'
       mode: 0400
     command: ls -l /custom/path

Steps to test:

echo "topsecret" > secret.txt
docker stack deploy -c docker-compose.yml secret
docker service logs  secret_ubuntu
docker stack rm secret

Output of service logs:

If you use docker-compose up instead, the output will look like this:

the output of ls -l:

The owner and permission mask matches the one you saw in the docker-compose deployment.

if change the permission mask or the owner on the host, you will see the change in the container as well.

Thank you for detailed response. My problem is solved by setting the correct permission flags on the host.

I was using docker-compose to deploy on the dev machine. I missed the warning but yes they are being produced.