问题
My environment is an ubuntu 18.04 VPS.
I can't get file-based secrets to work with mariadb in a docker container.
- create
docker-compose.yml:
version: '3.7'
services:
db:
image: mariadb:10.4.8-bionic
environment:
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password_root
- MYSQL_PASSWORD_FILE=/run/secrets/password_user
- MYSQL_DATABASE=database
- MYSQL_USER=admin
secrets:
- password_root
- password_user
secrets:
password_root:
file: .secret_password_root
password_user:
file: .secret_password_user
- create secrets:
echo -n secret > .secret_password_root
echo -n secret > .secret_password_user
chown root:root .secret_password*
chmod 400 .secret_password*
(Note that I can set 444, but that would expose the secrets file on the host which is a very bad idea.)
- run:
docker-compose up
Error:
db_1 | /usr/local/bin/docker-entrypoint.sh: line 37: /run/secrets/password_root: Permission denied
According to the docs, the secrets file should be mounted as 0444, but that's obviously not happening.
回答1:
Apparently this is not supported for "docker compose", only for "docker swarm". The docs are misleading.
Docker Compose doesn't support real (swarmkit) secrets, and imitates them by bind-mounting the file directly into the container (which means that permissions on the host are the same as in the container).
You can change the ownership of the file on the host to match the uid/gid of the user in the container, but otherwise I don't think there's much that can be done unfortunately
回答2:
The tip point is here:
chown root:root .secret_password* # set root as owner
chown 400 .secret_password* # set `400` as owner
Replace chown with `chmod:
chown root:root .secret_password*
chmod 400 .secret_password*
来源:https://stackoverflow.com/questions/58257319/secrets-in-docker-compose