cannot specify username/group name of docker config when creating docker service

[Naitreey]

Description

I'm trying to specify user and group ownership of a docker config during creating
a docker service in swarm mode. Per docker config doc, I can use uid/gid or user/group name
as value of uid=/gid= option. But based on my test, it seems that only uid/gid
is accepted, otherwise the service fails with starting container failed: strconv.Atoi: parsing "<user/group-name-here>": invalid syntax error.

Steps to reproduce the issue:

1. Take nginx service as an example. Create an empty file foo.conf as docker config.
2. Create a service with following command:

docker service create -d --config \
        source=foo.conf,target=/foo.conf,uid=nginx,gid=nginx \
        --replicas 1 --name nginx \
    nginx:alpine

Describe the results you received:
Service failed to start. docker service ps nginx shows the following:

$ docker service ps --no-trunc nginx
ID                          NAME                IMAGE                                                                                  NODE                     DESIRED STATE       CURRENT STATE                    ERROR                                                                        PORTS
wz83ikaaul0awr9d4nop44n24   nginx.1             nginx:alpine@sha256:48947591194ac5a9dce1e110f9198a547debb21630f121081640b87d99ca8b11                            Ready               Pending less than a second ago                                                                                
27wfuzre1iz3gwcw644h79k9h    \_ nginx.1         nginx:alpine@sha256:48947591194ac5a9dce1e110f9198a547debb21630f121081640b87d99ca8b11   <...>                    Shutdown            Failed less than a second ago    "starting container failed: strconv.Atoi: parsing "nginx": invalid syntax"   
f4zu8squgvk760pefn8ts62jb    \_ nginx.1         nginx:alpine@sha256:48947591194ac5a9dce1e110f9198a547debb21630f121081640b87d99ca8b11   <...>                    Shutdown            Failed 5 seconds ago             "starting container failed: strconv.Atoi: parsing "nginx": invalid syntax"   
j9yx5mtk7p0rs7ylnv9kekw6h    \_ nginx.1         nginx:alpine@sha256:48947591194ac5a9dce1e110f9198a547debb21630f121081640b87d99ca8b11   <...>                    Shutdown            Failed 10 seconds ago            "starting container failed: strconv.Atoi: parsing "nginx": invalid syntax"

Describe the results you expected:
Service starts successfully.

Additional information you deem important (e.g. issue happens only occasionally):
With uid/gid rather than name, service starts successfully.

Output of docker version:

Docker version 18.02.0-ce, build fc4de447b5

Output of docker info:

Containers: 19
 Running: 1
 Paused: 0
 Stopped: 18
Images: 24
Server Version: 18.02.0-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
 NodeID: 4m0cef9637sue7o62ujt2ghei
 Is Manager: true
 ClusterID: l2e2hwgoirkr6v85bxsax1cn8
 Managers: 1
 Nodes: 1
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  Force Rotate: 0
 Autolock Managers: false
 Root Rotation In Progress: false
 Node Address: 192.168.99.1
 Manager Addresses:
  192.168.99.1:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9b55aab90508bd389d7654c4baf173a981477d55
runc version: 9f9c96235cc97674e935002fc3d78361b696a69e
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.15.5-1-ARCH
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.712GiB
Name: <...>
ID: 6L44:BPEL:FEEL:D57Z:UXC5:Z3J3:LGYQ:2E2I:NDRD:EQRE:EA75:ZYBL
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

• OS: Arch Linux

[masseybradley]

Old but still seems relevant using latest version:

Client: Docker Engine - Community
 Version:           19.03.4
 API version:       1.40
 Go version:        go1.12.10
 Git commit:        9013bf583a
 Built:             Fri Oct 18 15:54:09 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.4
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.10
  Git commit:       9013bf583a
  Built:            Fri Oct 18 15:52:40 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

... the doc states: "You can set the ownership (uid and gid) for the config, using either the numerical ID or the name of the user or group." however setting a numerical value for uid or gid in the docker-compose.yml bombs out with services.myservice.configs.0.uid must be a string / services.myservice.configs.0.gid must be a string. Setting a string and it bombs out with "starting container failed: strconv.Atoi: parsing "value": invalid syntax".

[thaJeztah]

Looks like the API accepts strings for these properties, but the daemon expects numeric values;

moby/daemon/container_operations_unix.go

Lines 264 to 278 in e222d2d

	uid, err := strconv.Atoi(configRef.File.UID)
	if err != nil {
	return err
	}
	gid, err := strconv.Atoi(configRef.File.GID)
	if err != nil {
	return err
	}
	if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
	return errors.Wrap(err, "error setting ownership for config")
	}
	if err := os.Chmod(fPath, configRef.File.Mode); err != nil {
	return errors.Wrap(err, "error setting file mode for config")
	}

(there's currently no translation from user/group names to uid/gid, based on users known to the container)

Not sure if that was originally designed to be included, but didn't get implemented, if this was for "future enhancement", or if it just slipped through when creating the documentation.

Perhaps @ehazlett recalls? (I didn't dig into history yet)

At least for now, the docs should be updated to reflect the current state

[EligiusSantori]

Getting similar problem when trying to pass secret by API.

Not works:
{"File": {"Name": "test"}, "SecretID": "...", "SecretName": "test"}
Nor:
{"File": {"Name": "test", "UID": "www-data", "GID": "www-data"}, "SecretID": "...", "SecretName": "test"}
But this seems works:
{"File": {"Name": "test", "UID": "33", "GID": "33"}, "SecretID": "...", "SecretName": "test"}

Server Version: 20.10.14