Using Docker Secrets with Docker-Rootless & Docker Compose

Issue type

Can’t use Docker Secrets with Docker Compose 2.2.3 without creating a swarm

OS Version/build - Docker
Client: Docker Engine - Community
Version: 20.10.13
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 10 14:07:51 2022
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.13
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 906f57f
Built: Thu Mar 10 14:05:44 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.10
GitCommit: 2a1d4dbdb2a1030dc5b01e96fb110a9d9f150ecc
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0

OS Version/build - Docker Compose’’
Docker Compose version v2.2.3

Steps to reproduce
1.) Install docker-rootless & docker-compose according to documentation on ubuntu 20.04.4

2.) Then execute:

$ echo "nextcloud" | docker secret create mysql_database -
Error response from daemon: This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again.

Based on reading, I thought that with Docker Compose 1.11 above that you can specify secrets in your Docker Compose without using Swarm.

Is this a limitation of running docker compose with docker-rootless? If it is not, How do I generate secrets? to be used in docker-compose.yml?

thanks

my current yaml:


version: '3.9'

secrets:
  mysql_password:  
    external: true
  mysql_user:
    external: true
  mysql_database:
    external: true
  mysql_root_password:
    external: true
  redis_host_password:
    external: true
#  smtp_password:
#    external: true

volumes:
  nextcloud:
  mariadb:
  redis:
  phpmyadmin:
  
services:
  mariadb:
    image: mariadb:latest
    secrets:
      - mysql_root_password
      - mysql_password
      - mysql_database
      - mysql_user
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - ./mariadb:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
      - MYSQL_PASSWORD=/run/secrets/mysql_password
      - MYSQL_DATABASE=/run/secrets/mysql_database
      - MYSQL_USER=/run/secrets/mysql_user
    networks:
      - test-aym
  phpmyadmin:
    image: phpmyadmin:latest
    secrets:
      - mysql_root_password
    restart: always
    ports:
      - 8081:80
    environment:
      - PMA_HOST=mariadb
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
    networks:
      - test-aym
  redis:
    image: redis:6.2-alpine
    restart: always
    volumes: 
      - ./redis/redis-conf:/var/lib/redis
      - ./redis/cache:/data
    networks:
      - test-aym
  
  app:
    image: nextcloud
    restart: always
    ports:
      - 8080:80
    depends_on:
      - mariadb
      - redis
      - phpmyadmin
    secrets:
      - mysql_password
      - mysql_database
      - mysql_user
      - redis_host_password
    volumes:
      - ./nextcloud:/var/www/html
    environment:
      - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
      - MYSQL_DATABASE_FILE=/run/secrets/mysql_database
      - MYSQL_USER_FILE=/run/secrets/mysql_user
      - MYSQL_HOST=mariadb
      - REDIS_HOST=redis
      - REDIS_PORT=6379
      - REDIS_HOST_PASSWORD_FILE=/run/secrets/redis_host_passowrd
      - NEXTCLOUD_DATA_DIR=./private/data
      #- NEXTCLOUD_TRUSTED_DOMAINS=asiliyamama.local
      #- TRUSTED_PROXIES=172.18.0.0/16
      - SMTP_HOST=
      - SMTP_SECURE= 
      - SMTP_PORT=
      - SMTP_AUTHTYPE=
      - SMTP_NAME=
      - SMTP_PASSWORD=
      - MAIL_FROM_ADDRESS= 
      - MAIL_DOMAIN=
    networks:
      - test-aym
    

volumes:
  nextcloud:
  redis:
  phpmyadmin:

networks:
  test-aym:
    external: true

External secrets will not work with docker-compose deployments, You will need to declare and use them them inside the compose file,

I always felt that it’s rather an issue and not a feature that schema version "3.x"allows docker-compose to use secrets outside a swarm.

Generaly all compose file configuration options can be translated into valid docker command arugments and vice versa. The only exception I am aware of are secrets used with docker-compose, as the docker command is not valid outside the swarm mode.

Imho using secrets in a compose file is the only reason to use a version "3.x" schema version with docker-compose. Then again having to declare the secret in the compose file doesn’t make it any better than binding a file in read-only mode into the container.

N.B.: Secrets in swarm are distributed encrypted amongst all nodes and stored in the cluster’s raft logs.

Might you be able to provide a brief example or link to an example… I am a noob and I actually tried declaring them inside docker-compose.yml using external text files… my tests all failed.

:unamused:

You can find an example in the compose file reference: Compose file version 3 reference | Docker Documentation

The “file:” secret should work, the external will definitly not. But as I already mentioned I don’t see any advantage in using secrets over binding a file in read only mode. At the end both will be immutable files inside the container.

@meyay thanks for the link… I followed the documentation exactly… secrets just don’t seem to work with docker rootless. Logs say:

phpmyadmin_1  | cat: /run/secrets/mysql_root_password: No such file or directory
/usr/local/bin/docker-entrypoint.sh: line 36: /run/secrets/mysql_database: No such file or directory

I think the error is because docker-rootless can’t access /run/secrets/* docker-rootless has `/run/user/$UID/

Although, the files below do exist /run/secrets doesn’t exist so declaring the file is useless.

image

my validated yaml is:

version: '3.9'

volumes:
  mariadb:
  phpmyadmin:
  redis:
  nextcloud:

networks:
  test-aym:

secrets:
  MYSQL_DATABASE:
    file: ./mysql_database.txt
  MYSQL_PASSWORD:
    file: ./mysql_password.txt
  MYSQL_ROOT_PASSWORD:
    file: ./mysql_root_password.txt
  MYSQL_USER:
    file: ./mysql_user.txt

services:
  mariadb:
    image: mariadb:latest
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - ./mariadb:/var/lib/mysql
    secrets:
      - MYSQL_ROOT_PASSWORD
      - MYSQL_PASSWORD
      - MYSQL_DATABASE
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
      - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
      - MYSQL_DATABASE_FILE=/run/secrets/mysql_database
      - MYSQL_USER_FILE=/run/secrets/mysql_user
    networks:
      - test-aym

  phpmyadmin:
    image: phpmyadmin:latest
    restart: always
    ports:
      - 8081:80
    depends_on:
      - mariadb
    secrets:
      - MYSQL_ROOT_PASSWORD
    environment:
      - PMA_HOST=mariadb
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
    networks:
      - test-aym

  redis:
    image: redis:latest
    restart: always
    volumes:
      - ./redis:/var/lib/redis
    networks:
      - test-aym

  app:
    image: nextcloud
    restart: always
    ports:
      - 8080:80
    depends_on:
      - mariadb
      - redis
    secrets:
      - MYSQL_PASSWORD
      - MYSQL_DATABASE
    volumes:
      - ./nextcloud:/var/www/html
    environment:
      - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
      - MYSQL_DATABASE_FILE=/run/secrets/mysql_database
      - MYSQL_USER_FILE=/run/secrets/mysql_user
      - MYSQL_HOST=mariadb
      - REDIS_HOST=redis
      - REDIS_PORT=6379
      - NEXTCLOUD_DATA_DIR=/var/www/nextcloud-data
    networks:
      - test-aym

not looking for you to debug my yaml… just a general question…

is the core difference between frameworks reliability & bugs?