New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect mode for docker-compose secret file #40046
Comments
Docker Compose doesn't support real (swarmkit) secrets, and imitates them by bind-mounting the file directly into the container (which means that permissions on the host are the same as in the container). You can change the ownership of the file on the host to match the uid/gid of the user in the container, but otherwise I don't think there's much that can be done unfortunately I'll close this issue because of the above, but feel free to continue the conversation |
Thank you for clarifying. The problem is the "docker compose" and "docker swarm" products use the same file - |
@thaJeztah Follow-up question if I may. I read it's easy to upgrade from "docker compose" to "docker swarm", so I thought I'd try it as a single-server stack. I added So the only change is But it complains about the secret file on the host:
The secrets file (on the host) is owned by |
Yes, that's likely expected; what happens is that the docker CLI attempts to open the file to read its content (which fails if the current user / user that runs the The cli (if succeeded to read) will then send the content of the secret file to the daemon, and store it as a secret. As an alternative, you can create the secret up-front ( |
@thaJeztah I assumed I could use I came up with a workaround. The secrets file on the host is:
This is a compromise - the secrets file is not locked-down as before, however it is accessible only to root and sudo-less Do you believe this is a reasonable approach / is this how it's typically done? |
I think ideally the file would not be stored at all (as plain text), and used in a configuration management system or a password manager, then the secret created in advance. Docker doesn't need access to the file once it's been stored as a secret ( If you do need the file locally, you can store it with |
Thanks for your advice! |
Bumping this thread. What if an attacker gain access to reading "/run/secrets/my_secret" in anyway in the container ? Even if I run the microservice under a non-root user, the 444 permissions on the secret enables anyone who gained access to the directory to reading the secret. |
@niloct if a container is compromised, that's not any different than a non-containerised situation (e.g. a VM or host compromised); take similar actions in that case (rotate secrets, consider data that was accessible with the secret to be compromised). |
Hi, thanks for replying :) Considering that in this scenario the container doesn't run under root, and the user hasn't sudo privileges, even if he compromises the container he wouldn't be able to see the secret. Right ? |
This is exactly what I'm stuck in. |
This ticket was about If you're using swarm services, you can set the Looking at the elasticsearch Dockerfile (https://github.com/elastic/dockerfiles/blob/v7.10.1/elasticsearch/Dockerfile#L70-L73), the Create a secret echo "foobar" | docker secret create mysecret - Create a service using the secret, that mounts it at docker service create --name myservice \
--secret source=mysecret,target=foo,uid=0,gid=1000,mode=0440 \
nginx:alpine exec into a container of the service as user 1000:1000, verify ownership/permissions are correct, and that user docker exec -it --user 1000:1000 myservice.1.of0ct8765bouq1ystjd7ya0fi sh
$ ls -la /run/secrets/foo
-r--r----- 1 root 1000 7 Mar 4 12:10 /run/secrets/foo
$ cat /run/secrets/foo
foobar |
Thanks for the detailed answer. You're so kind.
Since you noticed, I'm stopping here. Thank you again! |
Hmm.. not sure what's causing that; looking at permissions, they look ok; I'm able to list the contents of the docker exec -it --user 1000:1000 myservice.1.zkgx21wteg05yxsd0zf4t4llz sh
/ $ ls -la /run/secrets
total 12
drwxr-xr-x 2 root root 4096 Mar 4 17:21 .
drwxr-xr-x 1 root root 4096 Mar 4 17:21 ..
-r--r----- 1 root 1000 7 Mar 4 17:21 foo Is it perhaps a configuration issue, and is it trying to use |
Looking at the service's log, I don't think so. I will attach it here the exception part: elasticsearch-docker.log
|
@thaJeztah, any chance for contribution in order to somehow fix this issue and make it also work in docker-compose? |
@raratiru @niloct @JustinGuese @wbadart @MohammedNoureldin @Soberia @michitaro I see you upvoted this issue. If this is still important to you, please upvote this new feature request, and/or add your opinions there. |
According to the docs, the permissions for secrets files:
And according to a previous issue, this was fixed.
But this is not the case for me.
400
. It is referenced indocker-compose.yml
for a mariadb service. But mariadb errors with "permission denied".444
, then it works, but of course that's a bad idea.I thought
444
(for the container secret file:/run/secrets/foo
) was supposed to be the default mode set by docker?ubuntu 19.04
docker --version
= Docker version 19.03.2, build 6a30dfcdocker-compose --version
= docker-compose version 1.24.1, build 4667896The text was updated successfully, but these errors were encountered: