泊坞窗中的秘密撰写 [英] Secrets in docker compose
问题描述
我的环境是Ubuntu 18.04 VPS.
My environment is an ubuntu 18.04 VPS.
我无法在Docker容器中使用基于文件的机密来与mariadb一起使用.
I can't get file-based secrets to work with mariadb in a docker container.
- 创建
docker-compose.yml
:
version: '3.7'
services:
db:
image: mariadb:10.4.8-bionic
environment:
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password_root
- MYSQL_PASSWORD_FILE=/run/secrets/password_user
- MYSQL_DATABASE=database
- MYSQL_USER=admin
secrets:
- password_root
- password_user
secrets:
password_root:
file: .secret_password_root
password_user:
file: .secret_password_user
- 创建秘密:
echo -n secret > .secret_password_root
echo -n secret > .secret_password_user
chown root:root .secret_password*
chmod 400 .secret_password*
(请注意,我可以设置444,但这会在主机上公开密钥文件,这是一个非常糟糕的主意.)
(Note that I can set 444, but that would expose the secrets file on the host which is a very bad idea.)
- 运行:
docker-compose up
错误:
db_1 |/usr/local/bin/docker-entrypoint.sh:第37行:/run/secrets/password_root:权限被拒绝
db_1 | /usr/local/bin/docker-entrypoint.sh: line 37: /run/secrets/password_root: Permission denied
根据秘密文件文档应该安装为 0444
,但这显然没有发生.
According to the docs, the secrets file should be mounted as 0444
, but that's obviously not happening.
推荐答案
显然"docker compose"不支持此功能,仅"docker swarm"支持.这些文档具有误导性.
Apparently this is not supported for "docker compose", only for "docker swarm". The docs are misleading.
Docker Compose不支持真实(swarmkit)机密,而是通过将文件直接绑定安装到容器中来模拟它们(这意味着主机上的权限与容器中的权限相同).
Docker Compose doesn't support real (swarmkit) secrets, and imitates them by bind-mounting the file directly into the container (which means that permissions on the host are the same as in the container).
您可以更改主机上文件的所有权以匹配容器中用户的uid/gid,但是不幸的是,我认为没有很多事情可以做
You can change the ownership of the file on the host to match the uid/gid of the user in the container, but otherwise I don't think there's much that can be done unfortunately
这篇关于泊坞窗中的秘密撰写的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!