堆栈内存溢出
  简体   繁体   English

docker 中的秘密组成

[英]Secrets in docker compose

 原文  2019-10-06 12:40:33       linux/ docker/ docker-compose

问题描述

My environment is an ubuntu 18.04 VPS.我的环境是 ubuntu 18.04 VPS。

I can't get file-based secrets to work with mariadb in a docker container.我无法在 docker 容器中使用 mariadb 获取基于文件的机密。

  1. create docker-compose.yml :创建docker-compose.yml
version: '3.7'
services:
  db:
    image: mariadb:10.4.8-bionic
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password_root
      - MYSQL_PASSWORD_FILE=/run/secrets/password_user
      - MYSQL_DATABASE=database
      - MYSQL_USER=admin
    secrets:
      - password_root
      - password_user
secrets:
  password_root:
    file: .secret_password_root
  password_user:
    file: .secret_password_user
  1. create secrets:创建秘密:
echo -n secret > .secret_password_root
echo -n secret > .secret_password_user
chown root:root .secret_password*
chmod 400 .secret_password*

(Note that I can set 444, but that would expose the secrets file on the host which is a very bad idea.) (请注意,我可以设置 444,但这会暴露主机上的机密文件,这是一个非常糟糕的主意。)

  1. run:跑:
docker-compose up

Error:错误:

db_1 | db_1 | /usr/local/bin/docker-entrypoint.sh: line 37: /run/secrets/password_root: Permission denied /usr/local/bin/docker-entrypoint.sh:第 37 行:/run/secrets/password_root:权限被拒绝

According to the docs , the secrets file should be mounted as 0444 , but that's obviously not happening.根据文档,秘密文件应该挂载为0444 ,但这显然没有发生。

3 个解决方案

解决方案1
 7 已采纳  2019-10-07 06:22:29

Apparently this is not supported for "docker compose", only for "docker swarm".显然,“docker compose” 不支持此功能,仅适用于“docker swarm”。 The docs are misleading.文档具有误导性。

Docker Compose doesn't support real (swarmkit) secrets, and imitates them by bind-mounting the file directly into the container (which means that permissions on the host are the same as in the container). Docker Compose 不支持真实(swarmkit)机密,并通过将文件直接绑定挂载到容器中来模仿它们(这意味着主机上的权限与容器中的权限相同)。

You can change the ownership of the file on the host to match the uid/gid of the user in the container, but otherwise I don't think there's much that can be done unfortunately您可以更改主机上文件的所有权以匹配容器中用户的 uid/gid,但不幸的是,我认为没有什么可以做的

解决方案2
 1  2022-08-29 10:26:06

Since docker-compose v2.5.0 this is now possible.docker-compose v2.5.0以来,这现在是可能的。

Dockerfile: Dockerfile:

# syntax=docker/dockerfile:1.2

RUN --mount=type=secret,id=mysecret,target=/root/mysecret cat /root/mysecret

docker-compose.yml docker-compose.yml

services:
  my-app:
    build:
      context: .
      secrets:
        - mysecret

secrets:
  mysecret:
   file: ~/.npmrc

Shell: Shell:

$ docker-compose build

解决方案3
 0  2019-10-06 17:00:17

The tip point is here:要点在这里:

chown root:root .secret_password* # set root as owner
chown 400 .secret_password*       # set `400` as owner

Replace chown with `chmod:chown替换为 `chmod:

chown root:root .secret_password*
chmod 400 .secret_password*

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Docker构成构建错误 - Docker compose build error 无法在Linux中安装Docker Compose - Not able to install Docker compose in Linux Docker Compose - 删除悬空服务 - Docker Compose - Remove dangling service Docker Compose 静态 IP 地址 - Docker Compose Static Ip addressing Docker 撰写卷权限 linux - Docker compose volume Permissions linux Docker Compose中的MongoDb-提供配置 - MongoDb in Docker Compose - providing a configuration docker-compose错误是什么? - docker-compose error what is this? 在docker-compose中添加docker run的参数 - Add the parameters of Docker run to docker-compose 无法为 docker 图像安装 docker 组合 - Unable to install docker compose for docker images 阻止Docker Compose创建单独的网络 - Prevent Docker Compose from creating separate network
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM