Behavior: When creating a docker service and attaching a secret, the secret is mounted as /var/run/secretname with the permissions of 0444 read/read/read.
When creating a docker stack from a YML file, attaching secrets and deploying the stack (either thru CLI, or thru UCP), secrets are mounted as /var/run/secretname with permissions of 0000. This is a big problem because i’m using the secret inside the container (from the entrypoint.sh) like this:
--env SPLUNK_CMD_3='set deploy-poll deployer:8089 -auth admin:`cat /run/secrets/splunk-initial-admin-pw`'
I’m getting permissions issues when running as a stack from the container where “cat” is barfing back “permission denied”
There is either a bug, or the documentation has not been completed.
Note: I’m not explicitly setting the mode in my “docker service create” command. Additionally, i don’t see the ability to set the mode from within a compose 3.1 file YML.
Trying to work my way around this, but really would like to deploy a stack and not have a shell script that deploys N services.