dockerdocker-composepodmandocker-secrets

Pass docker-compose secret to Dockerfile


I'm trying to pass docker-compose secrets to a Dockerfile, a feature that should be supported in docker-compose v2.5.0. For some odd reason, the secret I'm passing isn't recognized.

I loosely followed the example in How to use file from home directory in docker compose secret?

Here are the files in the directory I'm testing it out in:

.
├── docker-compose.working.yml
├── docker-compose.yml
├── Dockerfile
└── secret

Their contents:

secret

cool

docker-compose.yml

services:
   notworking:
     build: .
     secrets:
       - mysecret

secrets:
   mysecret:
     file: ./secret

Dockerfile

FROM busybox

RUN --mount=type=secret,required=true,id=mysecret cat /run/secrets/mysecret

Running the command docker-compose up yields an error about not being able to find the mysecret secret I defined.

Sending build context to Docker daemon     369B
STEP 1/6: FROM busybox
Resolving %!q(<nil>) to docker.io (enforced by caller)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob sha256:f5b7ce95afea5d39690afc4c206ee1bf3e3e956dcc8d1ccd05c6613a39c4e4f8
Copying config sha256:ff4a8eb070e12018233797e865841d877a7835c4c6d5cfc52e5481995da6b2f7
Writing manifest to image destination
Storing signatures
STEP 2/6: RUN --mount=type=secret,required=true,id=mysecret cat /run/secrets/mysecret
1 error occurred:
    * Status: building at STEP "RUN --mount=type=secret,required=true,id=mysecret cat /run/secrets/mysecret": resolving mountpoints for container "b84f93ec384894b22ab1fba365f2d8a206e686882a19f6a3781a129a14fcb969": secret required but no secret with id mysecret found
, Code: 1

What's odd though is that my other contrived docker-compose.working.yml just worksTM, though it doesn't point to a local Dockerfile.

docker-compose.working.yml

services:
   working:
     image: busybox
     command: cat /run/secrets/mysecret
     secrets:
       - mysecret

secrets:
  mysecret:
     file: ./secret

When I run docker-compose -f docker-compose.working.yml up, I get what I expect:

[+] Running 1/0
 ⠿ Container webster-parser-working-1  Created                                                                                                                                         0.0s
Attaching to webster-parser-working-1
webster-parser-working-1  | cool
webster-parser-working-1 exited with code 0

Some extra info:

$ docker version
Docker version 20.10.19, build d85ef84533

$ docker-compose --version
Docker Compose version 2.12.0

FYI, I'm also using Podman under the hood, though I doubt it's the cause behind why it's not working.

Does anyone know why it ain't working?


Solution

  • I've gotten this working with slight changes to your docker compose:

    version: '3.8'
    
    services:
       worksnow:
         build:
           context: .
           secrets:
             - mysecret
    
         entrypoint: cat /run/secrets/mysecret
         secrets:
           - mysecret
    
    secrets:
       mysecret:
         file: ./secret
    
    $ docker compose up
    [+] Running 1/1
     ⠿ Container docker-compose-secrets-worksnow-1  Recreated                                                                     0.1s
    Attaching to docker-compose-secrets-worksnow-1
    docker-compose-secrets-worksnow-1  | cool
    docker-compose-secrets-worksnow-1 exited with code 0
    

    It seems like the trouble is that the secret is needed during the build in order for Docker to successfully interpret the RUN statement. Once you actually run the container, of course, it also needs the secret to be available then in order to access it.

    RUN is a container build step, so (confusingly) it's not going to be executed when the container is actually run. That's why I needed to add an entrypoint to get the output to show up.

    In case you're wondering if including the secrets in the build step is somehow storing the secret in the image, it's not. We can test this using Google's container-diff.

    $ container-diff diff --type=file daemon://busybox daemon://docker-compose-worksnow
    
    -----File-----
    
    These entries have been added to busybox:
    FILE                SIZE
    /proc               0
    /run                0
    /run/secrets        0
    /sys                0
    
    These entries have been deleted from busybox: None
    
    These entries have been changed between busybox and docker-compose-notworking: None