Description
Background
Hello there!
While developing using compose, my primary deploy target is swarm so I am using file secrets most of the time.
Finding
While trying to make the development process more convenient using compose, I started overriding also the file: directive in the root-level secrets with environment: using the compose.override.yml.
Recently I noticed the following error while the USER running in the container is not root but, e.g. node using the node:alpine image: Error response from daemon: getent unable to find entry "node" in passwd database
Question(s)
Is this the expected result I have to deal with because compose just mimics the features of swarm?
Has someone a hint how to make running the desired non-root user plus environment feeded secrets work, while dealing with the differences between "stack deploy" and "compose up"?
Steps To Reproduce
From: https://github.com/jawys/test-compose-secrets-environment
- Copy the following
compose.yaml
version: "3.8"
secrets:
api_pass:
environment: SOME_API_PASS
services:
backend:
image: node:alpine
environment:
- API_PASS_FILE=/run/secrets/api_pass
secrets:
- source: api_pass
command:
- sh
- -c
- set -x; ls -la /run/secrets; id
user: node
name: test-compose-secrets-environment
- Run docker compose up with
SOME_API_PASS env set inline
❯ SOME_API_PASS=SOME_API_PASS docker compose -f compose.yaml up
[+] Running 1/2
✔ Network test-compose-secrets-environment_default Created 0.0s
⠋ Container test-compose-secrets-environment-backend-1 Creating 0.0s
Error response from daemon: getent unable to find entry "node" in passwd database
- Seeing an error?! Try again...
❯ SOME_API_PASS=SOME_API_PASS docker compose -f compose.yaml up
Attaching to test-compose-secrets-environment-backend-1
test-compose-secrets-environment-backend-1 | + ls -la /run/secrets
test-compose-secrets-environment-backend-1 | ls: /run/secrets: No such file or directory
test-compose-secrets-environment-backend-1 | uid=1000(node) gid=1000(node) groups=1000(node)
test-compose-secrets-environment-backend-1 | + id
test-compose-secrets-environment-backend-1 exited with code 0
- Comment out
user: node directive so that user is root
--- a/compose.yaml
+++ b/compose.yaml
@@ -15,6 +15,6 @@ services:
- sh
- -c
- set -x; ls -la /run/secrets; id
- user: node
+ # user: node
name: test-compose-secrets-environment
- Run compose up again running the container as root
❯ SOME_API_PASS=SOME_API_PASS docker compose -f compose.yaml up
[+] Running 1/1
✔ Container test-compose-secrets-environment-backend-1 Recreated 0.1s
Attaching to test-compose-secrets-environment-backend-1
test-compose-secrets-environment-backend-1 | + ls -la /run/secrets
test-compose-secrets-environment-backend-1 | /run/secrets:
test-compose-secrets-environment-backend-1 | total 12
test-compose-secrets-environment-backend-1 | drwxr-xr-x 2 root root 4096 May 22 13:36 .
test-compose-secrets-environment-backend-1 | drwxr-xr-x 1 root root 4096 May 22 13:36 ..
test-compose-secrets-environment-backend-1 | -r-------- 1 root root 13 May 22 13:36 api_pass
test-compose-secrets-environment-backend-1 | + id
test-compose-secrets-environment-backend-1 | uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
test-compose-secrets-environment-backend-1 exited with code 0
Compose Version
❯ docker compose version ; docker-compose version
Docker Compose version v2.17.3
Docker Compose version v2.17.3
Docker Environment
❯ docker info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.10.4
Path: /Users/jan/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.17.3
Path: /Users/jan/.docker/cli-plugins/docker-compose
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.0
Path: /Users/jan/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.19
Path: /Users/jan/.docker/cli-plugins/docker-extension
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v0.1.0-beta.4
Path: /Users/jan/.docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/jan/.docker/cli-plugins/docker-sbom
scan: Docker Scan (Docker Inc.)
Version: v0.26.0
Path: /Users/jan/.docker/cli-plugins/docker-scan
scout: Command line tool for Docker Scout (Docker Inc.)
Version: v0.10.0
Path: /Users/jan/.docker/cli-plugins/docker-scout
Server:
Containers: 62
Running: 12
Paused: 0
Stopped: 50
Images: 47
Server Version: 23.0.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: active
NodeID: 8oy48bax3dyaf4ynlyqxn57n1
Is Manager: true
ClusterID: yj2jkmvdi1wnp7lfng9f5zfpy
Managers: 1
Nodes: 1
Default Address Pool: 10.0.0.0/8
SubnetSize: 24
Data Path Port: 4789
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 192.168.65.3
Manager Addresses:
192.168.65.3:2377
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
runc version: v1.1.5-0-gf19387a
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.15.49-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 15.61GiB
Name: docker-desktop
ID: 00936b35-ea60-4a06-85aa-b7bc97079fab
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
Anything else?
Description
Background
Hello there!
While developing using compose, my primary deploy target is swarm so I am using file secrets most of the time.
Finding
While trying to make the development process more convenient using compose, I started overriding also the
file:directive in the root-level secrets withenvironment:using thecompose.override.yml.Recently I noticed the following error while the USER running in the container is not
rootbut, e.g.nodeusing thenode:alpineimage: Error response from daemon: getent unable to find entry "node" in passwd databaseQuestion(s)
Is this the expected result I have to deal with because compose just mimics the features of swarm?
Has someone a hint how to make running the desired non-root user plus environment feeded secrets work, while dealing with the differences between "stack deploy" and "compose up"?
Steps To Reproduce
From: https://github.com/jawys/test-compose-secrets-environment
compose.yamlSOME_API_PASSenv set inlineuser: nodedirective so that user is rootCompose Version
Docker Environment
Anything else?