Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compose secrets does not set the correct mode #49404

Open
Qwarctick opened this issue Feb 6, 2025 · 1 comment · May be fixed by compose-spec/compose-go#738
Open

Compose secrets does not set the correct mode #49404

Qwarctick opened this issue Feb 6, 2025 · 1 comment · May be fixed by compose-spec/compose-go#738
Labels
area/cli kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. version/27.5

Comments

@Qwarctick
Copy link

Description

When using the long format secret in a docker-compose file with environment secret, the secret has the right ownership but not the right mode.

Reproduce

Create the following docker-compose.yml

services:
  frontend:
    image: alpine
    command: "ls -alh /run/secrets"
    secrets:
      - source: api_secret
        target: api_secret
        uid: "0"
        gid: "0"
        mode: "0444"
secrets:
  api_secret:
    environment: "API_SECRET"

Then run

export API_SECRET=foobar

docker compose run 

[+] Running 2/2
 ✔ Network test-compose_default       Created                                                                                                                                                                                          0.1s
 ✔ Container test-compose-frontend-1  Created                                                                                                                                                                                          0.0s
Attaching to frontend-1
frontend-1  | total 12K
frontend-1  | drwxr-xr-x    2 root     root        4.0K Feb  6 16:02 .
frontend-1  | drwxr-xr-x    1 root     root        4.0K Feb  6 16:02 ..
frontend-1  | -rw-rwxr--    1 root     root           6 Feb  6 16:02 api_secret
frontend-1 exited with code 0

Expected behavior

The api_secret file should have permission 0440 instead of the actual 0674.

docker version

Client: Docker Engine - Community
 Version:           27.5.1
 API version:       1.47
 Go version:        go1.22.11
 Git commit:        9f9e405
 Built:             Wed Jan 22 13:41:48 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.5.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.11
  Git commit:       4c9b3b0
  Built:            Wed Jan 22 13:41:48 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.25
  GitCommit:        bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc:
  Version:          1.2.4
  GitCommit:        v1.2.4-0-g6c52b3f
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    27.5.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.20.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.32.4
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  pushrm: Push Readme to container registry (Christian Korneck)
    Version:  1.9.0
    Path:     /home/ubuntu/.docker/cli-plugins/docker-pushrm

Server:
 Containers: 15
  Running: 14
  Paused: 0
  Stopped: 1
 Images: 21
 Server Version: 27.5.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: wk01ththgqvq3okkr4ux71lkv
  Is Manager: true
  ClusterID: qjvxpnpihlm8tlz9dkzj0mzjf
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.10.16.92
  Manager Addresses:
   10.10.16.92:2377
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc version: v1.2.4-0-g6c52b3f
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-52-generic
 Operating System: Ubuntu 24.04.1 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.25GiB
 Name: PhilippeN
 ID: 8cfc9240-a0d2-4155-ab41-a98e48b1d479
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: _
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response
@Qwarctick Qwarctick added kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage labels Feb 6, 2025
@ndeloof
Copy link
Contributor

ndeloof commented Feb 13, 2025

(should be reported on github.com/docker/compose)
The root cause is that mode is parsed as integer 444, despite the octal notation - which is then applied as mode 0674

@ndeloof ndeloof linked a pull request Feb 13, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cli kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. version/27.5
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Manage secrets|configs.mode as an octal string||number ndeloof/compose-go
3 participants
@ndeloof @thaJeztah @Qwarctick