stackoom
  简体   繁体   中英

Secrets in docker compose

 原文  2019-10-06 12:40:33       linux/ docker/ docker-compose

Question

My environment is an ubuntu 18.04 VPS.

I can't get file-based secrets to work with mariadb in a docker container.

  1. create docker-compose.yml :
version: '3.7'
services:
  db:
    image: mariadb:10.4.8-bionic
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password_root
      - MYSQL_PASSWORD_FILE=/run/secrets/password_user
      - MYSQL_DATABASE=database
      - MYSQL_USER=admin
    secrets:
      - password_root
      - password_user
secrets:
  password_root:
    file: .secret_password_root
  password_user:
    file: .secret_password_user
  1. create secrets:
echo -n secret > .secret_password_root
echo -n secret > .secret_password_user
chown root:root .secret_password*
chmod 400 .secret_password*

(Note that I can set 444, but that would expose the secrets file on the host which is a very bad idea.)

  1. run:
docker-compose up

Error:

db_1 | /usr/local/bin/docker-entrypoint.sh: line 37: /run/secrets/password_root: Permission denied

According to the docs , the secrets file should be mounted as 0444 , but that's obviously not happening.

3 answers

solution1
 7 ACCPTED  2019-10-07 06:22:29

Apparently this is not supported for "docker compose", only for "docker swarm". The docs are misleading.

Docker Compose doesn't support real (swarmkit) secrets, and imitates them by bind-mounting the file directly into the container (which means that permissions on the host are the same as in the container).

You can change the ownership of the file on the host to match the uid/gid of the user in the container, but otherwise I don't think there's much that can be done unfortunately

solution2
 1  2022-08-29 10:26:06

Since docker-compose v2.5.0 this is now possible.

Dockerfile: 

# syntax=docker/dockerfile:1.2

RUN --mount=type=secret,id=mysecret,target=/root/mysecret cat /root/mysecret

docker-compose.yml 

services:
  my-app:
    build:
      context: .
      secrets:
        - mysecret

secrets:
  mysecret:
   file: ~/.npmrc

Shell: 

$ docker-compose build

solution3
 0  2019-10-06 17:00:17

The tip point is here:

chown root:root .secret_password* # set root as owner
chown 400 .secret_password*       # set `400` as owner

Replace chown with `chmod:

chown root:root .secret_password*
chmod 400 .secret_password*

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Docker compose build error Not able to install Docker compose in Linux Docker Compose - Remove dangling service Docker Compose Static Ip addressing Docker compose volume Permissions linux MongoDb in Docker Compose - providing a configuration docker-compose error what is this? Add the parameters of Docker run to docker-compose Unable to install docker compose for docker images Prevent Docker Compose from creating separate network
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM