Docker Community Forums

Share and learn in the Docker community.

Secrets, Stacks and odd permissions

ucp

(Michael Wilde) #1

Behavior: When creating a docker service and attaching a secret, the secret is mounted as /var/run/secretname with the permissions of 0444 read/read/read.

When creating a docker stack from a YML file, attaching secrets and deploying the stack (either thru CLI, or thru UCP), secrets are mounted as /var/run/secretname with permissions of 0000. This is a big problem because i’m using the secret inside the container (from the entrypoint.sh) like this:

--env SPLUNK_CMD_3='set deploy-poll deployer:8089 -auth 
      admin:`cat /run/secrets/splunk-initial-admin-pw`' 

I’m getting permissions issues when running as a stack from the container where “cat” is barfing back “permission denied”

There is either a bug, or the documentation has not been completed.

Note: I’m not explicitly setting the mode in my “docker service create” command. Additionally, i don’t see the ability to set the mode from within a compose 3.1 file YML.

Trying to work my way around this, but really would like to deploy a stack and not have a shell script that deploys N services.


(Mattclark) #2

Having a similar issue with the native MacOS docker.

Here is my docker-compose.yml file:
version: '3.1’
services:
web:
image: wordpress:latest
deploy:
replicas: 1
networks:
- internal-net
ports:
- "30000:80"
environment:
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_NAME: wordpress
secrets:
- db_password
volumes:
- wpdata:/var/www/html/

db:
image: mysql:latest
deploy:
replicas: 1
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
MYSQL_PASSWORD_FILE: /run/secrets/db_password
MYSQL_USER: wordpress
MYSQL_DATABASE: wordpress
secrets:
- db_root_password
- db_password
networks:
- internal-net
volumes:
- mydata:/var/lib/mysql

secrets:
db_password:
file: db_password.txt
db_root_password:
file: db_root_password.txt

networks:
internal-net:
driver: overlay
internal: true

volumes:
mydata:
wpdata:


(Mattclark) #3

Fixed it myself by forcing the modes for the files:
version: '3.1’
services:
web:
image: wordpress:latest
deploy:
replicas: 1
networks:
- internal-net
ports:
- "30000:80"
environment:
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_NAME: wordpress
secrets:
- source: db_password
mode: 0400
volumes:
- wpdata:/var/www/html/

db:
image: mysql:latest
deploy:
replicas: 1
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
MYSQL_PASSWORD_FILE: /run/secrets/db_password
MYSQL_USER: wordpress
MYSQL_DATABASE: wordpress
secrets:
- source: db_root_password
mode: 0444
- source: db_password
mode: 0444
networks:
- internal-net
volumes:
- mydata:/var/lib/mysql

secrets:
db_password:
file: db_password.txt
db_root_password:
file: db_root_password.txt

networks:
internal-net:
driver: overlay
internal: true

volumes:
mydata:
wpdata:


(Michael Wilde) #4

Thats dope. So it looks like its mostly a documentation problem.

I’m seeing new thigns in your compose like:

secrets:
- source: db_password
mode: 0400

I wasn’t aware the syntax allowed for -source: secretname… and is “mode a child of the secret”, meaning does its indent level stay below the “-” from the previous line,


(Mattclark) #5

Exactly, you could put target: in there as well if you needed it. I got lucky and tripped over a github issue where they were talking about it^^


(Michael Wilde) #6

Ok… I figured out some syntax that works (I had to make sure “mode” was properly indented–and it needed to be in a “list”). Thanks for figuring this out.

licenser:
image: registry.splunk.com/splunk/splunk:latest
secrets:
  - source:  splunk.itsi.lic
    mode: 0444
  - source:  splunk.msexchange.lic
    mode: 0444
  - source:  splunk.enterprise.lic
    mode: 0444
  - source:  splunk.vmware.lic
    mode: 0444
  - source: splunk-initial-admin-pw
    mode: 0444

(kv) #7

Hi guys. How did you get “MYSQL_ROOT_PASSWORD_FILE” env to work in the mysql container? When I tried, the mysql container would not start, throwing the following error:

“error: database is uninitialized and password option is not specified You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD”

I’m using MySQL 5.7.17.

Thanks!


(Michael Wilde) #8

/is your secret being mounted inside the container at /run/secrets/secretname ?


(kv) #9

Thanks for your reply Michael. Yes, the secret is mounted at /run/secrets/secretname.


(kv) #10

Michael, I resolved the issue with MySQL. It turns out that I was using the ‘mysql/mysql-server:5.7.17’ image, which does have the Docker secret functionality (i.e. ability to read from MYSQL_ROOT_PASSWORD_FILE and MYSQL_PASSWORD_FILE). Switching to the ‘mysql:5.7.17’ image resolved my issue. Thanks. Now just trying to figure out how to get my ‘drupal:8.2.x’ container to use Docker secrets. Looks like the drupal image might not support secrets yet. Thanks again!