docker-swarm

Is there a way to specify the UID of secrets when using Docker Swarm with the sysbox runtime


I am trying to use Docker Swarm with the sysbox runtime. For one of my services I want to set the UID for a secret mount:

services:
  service1:
    secrets:
      - source: secretname
        uid: "1234"

This used to work with the normal Docker runtime. It does however, not have any effect when using the sysbox runtime. The secret is mounted as user 'nobody'. I assume this is because of sysbox using ID-mapped mounts.

Is there still a way to specify uid, gid and mode for secret mounts when using sysbox?


Solution

  • (answering my own question after getting help from Cesar Talledo via the Nestybox-Support Slack workspace)

    Secrets are mounted in a tmpfs filesystem. Running findmnt confirms this:

    ā”œā”€/run/secrets/secret_name     tmpfs[/te7tlwvwcrcyska47ga4vaj8i]             tmpfs    ro,relatime
    

    Sysbox tries to use idmapped-mounts on top of that tmpfs mount, but idmapped-mounts are not supported on tmpfs until kernel 6.3+. I am using WSL2 with a kernel version of 5.15.

    To get configurable UIDs to work you either need to:

    As I am using WSL, both options do not seem to be possible right now: