I am trying to use Docker Swarm with the sysbox runtime. For one of my services I want to set the UID for a secret mount:
services:
service1:
secrets:
- source: secretname
uid: "1234"
This used to work with the normal Docker runtime. It does however, not have any effect when using the sysbox runtime. The secret is mounted as user 'nobody'. I assume this is because of sysbox using ID-mapped mounts.
Is there still a way to specify uid, gid and mode for secret mounts when using sysbox?
(answering my own question after getting help from Cesar Talledo via the Nestybox-Support Slack workspace)
Secrets are mounted in a tmpfs filesystem. Running findmnt confirms this:
āā/run/secrets/secret_name tmpfs[/te7tlwvwcrcyska47ga4vaj8i] tmpfs ro,relatime
Sysbox tries to use idmapped-mounts on top of that tmpfs mount, but idmapped-mounts are not supported on tmpfs until kernel 6.3+. I am using WSL2 with a kernel version of 5.15.
To get configurable UIDs to work you either need to:
As I am using WSL, both options do not seem to be possible right now: