Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secrets in docker compose

Tags:

linux

docker

docker-compose

My environment is an ubuntu 18.04 VPS.

I can't get file-based secrets to work with mariadb in a docker container.

  1. create docker-compose.yml:
version: '3.7'
services:
  db:
    image: mariadb:10.4.8-bionic
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password_root
      - MYSQL_PASSWORD_FILE=/run/secrets/password_user
      - MYSQL_DATABASE=database
      - MYSQL_USER=admin
    secrets:
      - password_root
      - password_user
secrets:
  password_root:
    file: .secret_password_root
  password_user:
    file: .secret_password_user
  1. create secrets:
echo -n secret > .secret_password_root
echo -n secret > .secret_password_user
chown root:root .secret_password*
chmod 400 .secret_password*

(Note that I can set 444, but that would expose the secrets file on the host which is a very bad idea.)

  1. run:
docker-compose up

Error:

db_1 | /usr/local/bin/docker-entrypoint.sh: line 37: /run/secrets/password_root: Permission denied

According to the docs, the secrets file should be mounted as 0444, but that's obviously not happening.

like image 598
lonix Avatar asked Mar 03 '23 08:03

lonix

2 Answers

Apparently this is not supported for "docker compose", only for "docker swarm". The docs are misleading.

Docker Compose doesn't support real (swarmkit) secrets, and imitates them by bind-mounting the file directly into the container (which means that permissions on the host are the same as in the container).

You can change the ownership of the file on the host to match the uid/gid of the user in the container, but otherwise I don't think there's much that can be done unfortunately

UPDATE 2022

If you want this functionality, please upvote this PR, and/or add some comments, so the developers know how badly we want this feature. That PR was supposed to add this feature, but was not completed.

like image 124
lonix Avatar answered Apr 28 '23 20:04

lonix

Since docker-compose v2.5.0 this is now possible.

Dockerfile:

# syntax=docker/dockerfile:1.2

RUN --mount=type=secret,id=mysecret,target=/root/mysecret cat /root/mysecret

docker-compose.yml

services:
  my-app:
    build:
      context: .
      secrets:
        - mysecret

secrets:
  mysecret:
   file: ~/.npmrc

Shell:

$ docker-compose build
like image 33
krema Avatar answered Apr 28 '23 20:04

krema
Sign in to Comment

Related questions

How to gather IP and User Agent info from web log with AWK?
About to print KERNEL messages on terminal
python - losing connection to postgresql in daemon
If PHP is running on Linux; how to get the specific distribution(Ubuntu, fedora, etc..)?
Function using a local static variable thread safe/reentrant [closed]
UNIX: List files in directory with relative path [closed]
How do I properly quote this bash pipeline for watch?
shell script fails when executed by cronjob, works fine otherwise
inet_pton with all zero ip address
Ncurses reading numpad keys and escaping
Purpose of Curly Brace Usage of C Code found in Linux (include/linux/list.h)?
assignment makes pointer from integer without a cast C
How to display newline in ssh
Python: check if two Linux paths are on same physical disk
Finding out if a binary file has been compiled with stack smashing protection
Apache httpd vs. Tomcat 7: port 80 vs. port 8080
how to wakeup select() within timeout from another thread
drawing a pixelarray fast and efficient on linux
change ip address for docker
How can make cron job which happen at different hours and minutes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!