Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Setting secrets using "environment:" instead of "file:" works only using root in container/service #10595

Closed
jawys opened this issue May 22, 2023 · 1 comment · Fixed by #10598
Closed

[BUG] Setting secrets using "environment:" instead of "file:" works only using root in container/service #10595

jawys opened this issue May 22, 2023 · 1 comment · Fixed by #10598
Assignees
@ndeloof
Labels
kind/bug

Comments

@jawys
Copy link

jawys commented May 22, 2023
edited

Description

Background

Hello there!
While developing using compose, my primary deploy target is swarm so I am using file secrets most of the time.

Finding

While trying to make the development process more convenient using compose, I started overriding also the file: directive in the root-level secrets with environment: using the compose.override.yml.

Recently I noticed the following error while the USER running in the container is not root but, e.g. node using the node:alpine image: Error response from daemon: getent unable to find entry "node" in passwd database

Question(s)

Is this the expected result I have to deal with because compose just mimics the features of swarm?

Has someone a hint how to make running the desired non-root user plus environment feeded secrets work, while dealing with the differences between "stack deploy" and "compose up"?

Steps To Reproduce

From: https://github.com/jawys/test-compose-secrets-environment

  1. Copy the following compose.yaml 
    version: "3.8"

secrets:
  api_pass:
    environment: SOME_API_PASS

services:
  backend:
    image: node:alpine
    environment:
      - API_PASS_FILE=/run/secrets/api_pass
    secrets:
      - source: api_pass
    command:
      - sh
      - -c
      - set -x; ls -la /run/secrets; id
    user: node

name: test-compose-secrets-environment
  2. Run docker compose up with SOME_API_PASS env set inline 
    ❯ SOME_API_PASS=SOME_API_PASS docker compose -f compose.yaml up
[+] Running 1/2
✔ Network test-compose-secrets-environment_default      Created              0.0s
⠋ Container test-compose-secrets-environment-backend-1  Creating             0.0s
Error response from daemon: getent unable to find entry "node" in passwd database
  3. Seeing an error?! Try again... 
    ❯ SOME_API_PASS=SOME_API_PASS docker compose -f compose.yaml up
Attaching to test-compose-secrets-environment-backend-1
test-compose-secrets-environment-backend-1  | + ls -la /run/secrets
test-compose-secrets-environment-backend-1  | ls: /run/secrets: No such file or directory
test-compose-secrets-environment-backend-1  | uid=1000(node) gid=1000(node) groups=1000(node)
test-compose-secrets-environment-backend-1  | + id
test-compose-secrets-environment-backend-1 exited with code 0
  4. Comment out user: node directive so that user is root 
    --- a/compose.yaml
+++ b/compose.yaml
@@ -15,6 +15,6 @@ services:
      - sh
      - -c
      - set -x; ls -la /run/secrets; id
-    user: node
+    # user: node

name: test-compose-secrets-environment
  5. Run compose up again running the container as root 
    ❯ SOME_API_PASS=SOME_API_PASS docker compose -f compose.yaml up
[+] Running 1/1
✔ Container test-compose-secrets-environment-backend-1  Recreated            0.1s
Attaching to test-compose-secrets-environment-backend-1
test-compose-secrets-environment-backend-1  | + ls -la /run/secrets
test-compose-secrets-environment-backend-1  | /run/secrets:
test-compose-secrets-environment-backend-1  | total 12
test-compose-secrets-environment-backend-1  | drwxr-xr-x    2 root     root          4096 May 22 13:36 .
test-compose-secrets-environment-backend-1  | drwxr-xr-x    1 root     root          4096 May 22 13:36 ..
test-compose-secrets-environment-backend-1  | -r--------    1 root     root            13 May 22 13:36 api_pass
test-compose-secrets-environment-backend-1  | + id
test-compose-secrets-environment-backend-1  | uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
test-compose-secrets-environment-backend-1 exited with code 0

Compose Version

❯ docker compose version ; docker-compose version
Docker Compose version v2.17.3
Docker Compose version v2.17.3

Docker Environment

❯ docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /Users/jan/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /Users/jan/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/jan/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.19
    Path:     /Users/jan/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.4
    Path:     /Users/jan/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/jan/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/jan/.docker/cli-plugins/docker-scan
  scout: Command line tool for Docker Scout (Docker Inc.)
    Version:  v0.10.0
    Path:     /Users/jan/.docker/cli-plugins/docker-scout

Server:
 Containers: 62
  Running: 12
  Paused: 0
  Stopped: 50
 Images: 47
 Server Version: 23.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: 8oy48bax3dyaf4ynlyqxn57n1
  Is Manager: true
  ClusterID: yj2jkmvdi1wnp7lfng9f5zfpy
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.65.3
  Manager Addresses:
   192.168.65.3:2377
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.49-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 15.61GiB
 Name: docker-desktop
 ID: 00936b35-ea60-4a06-85aa-b7bc97079fab
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

Anything else?
@ndeloof ndeloof self-assigned this May 23, 2023
@ndeloof
Copy link
Contributor

ndeloof commented May 23, 2023

same issue applies to a plain docker cp command asking engine to apply uid/gid:

$ docker cp ./foo test-backend-1:/tmp/test -a
                                             Successfully copied 1.54kB to test-backend-1:/tmp/test
Error response from daemon: getent unable to find entry "node" in passwd database

seems to be a known issue : moby/moby#34142

@ndeloof ndeloof mentioned this issue May 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ndeloof ndeloof

Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

only set CopyUIDGID when secret is requested to set gid/uid ndeloof/compose
2 participants
@ndeloof @jawys