I'm trying to pass docker-compose
secrets to a Dockerfile, a feature that should be supported in docker-compose v2.5.0. For some odd reason, the secret I'm passing isn't recognized.
I loosely followed the example in How to use file from home directory in docker compose secret?
Here are the files in the directory I'm testing it out in:
.
├── docker-compose.working.yml
├── docker-compose.yml
├── Dockerfile
└── secret
Their contents:
secret
cool
docker-compose.yml
services:
notworking:
build: .
secrets:
- mysecret
secrets:
mysecret:
file: ./secret
Dockerfile
FROM busybox
RUN --mount=type=secret,required=true,id=mysecret cat /run/secrets/mysecret
Running the command docker-compose up
yields an error about not being able to find the mysecret
secret I defined.
Sending build context to Docker daemon 369B
STEP 1/6: FROM busybox
Resolving %!q(<nil>) to docker.io (enforced by caller)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob sha256:f5b7ce95afea5d39690afc4c206ee1bf3e3e956dcc8d1ccd05c6613a39c4e4f8
Copying config sha256:ff4a8eb070e12018233797e865841d877a7835c4c6d5cfc52e5481995da6b2f7
Writing manifest to image destination
Storing signatures
STEP 2/6: RUN --mount=type=secret,required=true,id=mysecret cat /run/secrets/mysecret
1 error occurred:
* Status: building at STEP "RUN --mount=type=secret,required=true,id=mysecret cat /run/secrets/mysecret": resolving mountpoints for container "b84f93ec384894b22ab1fba365f2d8a206e686882a19f6a3781a129a14fcb969": secret required but no secret with id mysecret found
, Code: 1
What's odd though is that my other contrived docker-compose.working.yml
just worksTM, though it doesn't point to a local Dockerfile
.
docker-compose.working.yml
services:
working:
image: busybox
command: cat /run/secrets/mysecret
secrets:
- mysecret
secrets:
mysecret:
file: ./secret
When I run docker-compose -f docker-compose.working.yml up
, I get what I expect:
[+] Running 1/0
⠿ Container webster-parser-working-1 Created 0.0s
Attaching to webster-parser-working-1
webster-parser-working-1 | cool
webster-parser-working-1 exited with code 0
Some extra info:
$ docker version
Docker version 20.10.19, build d85ef84533
$ docker-compose --version
Docker Compose version 2.12.0
FYI, I'm also using Podman under the hood, though I doubt it's the cause behind why it's not working.
Does anyone know why it ain't working?
I've gotten this working with slight changes to your docker compose:
version: '3.8'
services:
worksnow:
build:
context: .
secrets:
- mysecret
entrypoint: cat /run/secrets/mysecret
secrets:
- mysecret
secrets:
mysecret:
file: ./secret
$ docker compose up
[+] Running 1/1
⠿ Container docker-compose-secrets-worksnow-1 Recreated 0.1s
Attaching to docker-compose-secrets-worksnow-1
docker-compose-secrets-worksnow-1 | cool
docker-compose-secrets-worksnow-1 exited with code 0
It seems like the trouble is that the secret is needed during the build in order for Docker to successfully interpret the RUN
statement. Once you actually run the container, of course, it also needs the secret to be available then in order to access it.
RUN
is a container build step, so (confusingly) it's not going to be executed when the container is actually run. That's why I needed to add an entrypoint
to get the output to show up.
In case you're wondering if including the secrets in the build step is somehow storing the secret in the image, it's not. We can test this using Google's container-diff.
$ container-diff diff --type=file daemon://busybox daemon://docker-compose-worksnow
-----File-----
These entries have been added to busybox:
FILE SIZE
/proc 0
/run 0
/run/secrets 0
/sys 0
These entries have been deleted from busybox: None
These entries have been changed between busybox and docker-compose-notworking: None