search

docker / compose

Define and run multi-container applications with Docker
https://docs.docker.com/compose/
Apache License 2.0
33.8k stars 5.2k forks source link

[BUG] Incorrect warning about secrets from environment variable being ignored #12010

Open qhaas opened 2 months ago

qhaas commented 2 months ago

Description

While it is known that file secrets cannot have their ownership / permissions set via service level secrets, it appears that environment secrets can, yet the warning about said ownership / permissions being ignored is displayed.

Steps To Reproduce

  1. Set a secret from an environment variable and attempt to modify its uid, gid, and mode via service-level secrets 
    $ cat compose.yml 
services:
my-service:
image: busybox:stable
command: ls -ln /run/secrets/my-secret
secrets:
  - source: my-secret
    uid: "10"
    gid: "20"
    mode: 0754
secrets:
my-secret:
environment: MY_SECRET
  2. Run docker compose and display the uid, gid, and mode of the secret, noting the incorrect warning about them not being set 
    $ MY_SECRET=success docker compose run --rm my-service
WARN[0000] secrets `uid`, `gid` and `mode` are not supported, they will be ignored 
-rwxr-xr--    1 10       20               7 Jul 23 20:40 /run/secrets/my-secret

Compose Version

Docker Compose version v2.29.0

Docker Environment

Client: Docker Engine - Community
 Version:    27.1.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 42
 Server Version: 27.1.0
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.14.0-427.26.1.el9_4.x86_64
 Operating System: Red Hat Enterprise Linux 9.4 (Plow)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 30.83GiB
 Name: REDACTED
 ID: 0608251b-f670-49b2-8b9e-8e9327933d84
 Docker Root Dir: /home/docker
 Debug Mode: false
 Username: REDACTED
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Anything else?

No response

polarathene commented 2 months ago

This also applies to configs top-level element with content and environment sources: https://github.com/docker/docs/issues/20514