泊坞窗中的秘密撰写 [英] Secrets in docker compose
问题描述
我的环境是Ubuntu 18.04 VPS.
My environment is an ubuntu 18.04 VPS.
我无法在Docker容器中使用基于文件的机密来与mariadb一起使用.
I can't get file-based secrets to work with mariadb in a docker container.
- 创建
docker-compose.yml:
version: '3.7'
services:
db:
image: mariadb:10.4.8-bionic
environment:
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/password_root
- MYSQL_PASSWORD_FILE=/run/secrets/password_user
- MYSQL_DATABASE=database
- MYSQL_USER=admin
secrets:
- password_root
- password_user
secrets:
password_root:
file: .secret_password_root
password_user:
file: .secret_password_user
- 创建秘密:
echo -n secret > .secret_password_root
echo -n secret > .secret_password_user
chown root:root .secret_password*
chmod 400 .secret_password*
(请注意,我可以设置444,但这会在主机上公开密钥文件,这是一个非常糟糕的主意.)
(Note that I can set 444, but that would expose the secrets file on the host which is a very bad idea.)
- 运行:
docker-compose up
错误:
db_1 |/usr/local/bin/docker-entrypoint.sh:第37行:/run/secrets/password_root:权限被拒绝
db_1 | /usr/local/bin/docker-entrypoint.sh: line 37: /run/secrets/password_root: Permission denied
根据秘密文件文档应该安装为 0444 ,但这显然没有发生.
According to the docs, the secrets file should be mounted as 0444, but that's obviously not happening.
推荐答案
显然"docker compose"不支持此功能,仅"docker swarm"支持.这些文档具有误导性.
Apparently this is not supported for "docker compose", only for "docker swarm". The docs are misleading.
Docker Compose不支持真实(swarmkit)机密,而是通过将文件直接绑定安装到容器中来模拟它们(这意味着主机上的权限与容器中的权限相同).
Docker Compose doesn't support real (swarmkit) secrets, and imitates them by bind-mounting the file directly into the container (which means that permissions on the host are the same as in the container).
您可以更改主机上文件的所有权以匹配容器中用户的uid/gid,但是不幸的是,我认为没有很多事情可以做
You can change the ownership of the file on the host to match the uid/gid of the user in the container, but otherwise I don't think there's much that can be done unfortunately
这篇关于泊坞窗中的秘密撰写的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
