docker
Secret permission doesn't seem to respect the documentation
Description
I'm trying to mount my ssh key into my container and decide to use the secret in my docker compose file, but when i try to use my ssh key inside my devcontainer i get a message:
It is recommended that your private key files are NOT accessible by others. This private key will be ignored.
Reproduce
Create a docker compose file
services:
app:
build:
context: ../v4
dockerfile: ../.devcontainer/Dockerfile
secrets:
- private_ssh_key
links:
- db
depends_on:
- db
volumes:
- ../v4/:/var/www/html/v4/
- ./scripts:/var/run/scripts/
ports:
- "8001:80"
secrets:
private_ssh_key:
file: ~/.ssh/bitbucket_rsa
According to the documentation the file should be mounted under /run/secrets/private_key_ssh WITH a permission 0440 https://docs.docker.com/compose/compose-file/05-services/#long-syntax-4
But when i ls -l the folder, i get this
I even try using the long syntax but still the same result.
Expected behavior
I would expect to have a file with the permission 0440
docker version
Client:
Version: 27.0.3
API version: 1.46
Go version: go1.21.11
Git commit: 7d4bcd8
Built: Sat Jun 29 00:03:32 2024
OS/Arch: windows/amd64
Context: desktop-linux
Server: Docker Desktop 4.32.0 (157355)
Engine:
Version: 27.0.3
API version: 1.46 (minimum version 1.24)
Go version: go1.21.11
Git commit: 662f78c
Built: Sat Jun 29 00:02:50 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.18
GitCommit: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
runc:
Version: 1.7.18
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
PS C:\Users\DavidPelletier> docker info
Client:
Version: 27.0.3
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.15.1-desktop.1
Path: C:\Program Files\Docker\cli-plugins\docker-buildx.exe
compose: Docker Compose (Docker Inc.)
Version: v2.28.1-desktop.1
Path: C:\Program Files\Docker\cli-plugins\docker-compose.exe
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.32
Path: C:\Program Files\Docker\cli-plugins\docker-debug.exe
desktop: Docker Desktop commands (Alpha) (Docker Inc.)
Version: v0.0.14
Path: C:\Program Files\Docker\cli-plugins\docker-desktop.exe
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.2
Path: C:\Program Files\Docker\cli-plugins\docker-dev.exe
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.25
Path: C:\Program Files\Docker\cli-plugins\docker-extension.exe
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.5
Path: C:\Program Files\Docker\cli-plugins\docker-feedback.exe
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.3.0
Path: C:\Program Files\Docker\cli-plugins\docker-init.exe
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: C:\Program Files\Docker\cli-plugins\docker-sbom.exe
scout: Docker Scout (Docker Inc.)
Version: v1.10.0
Path: C:\Program Files\Docker\cli-plugins\docker-scout.exe
Server:
Containers: 18
Running: 3
Paused: 0
Stopped: 15
Images: 16
Server Version: 27.0.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
Kernel Version: 5.15.146.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 5.789GiB
Name: docker-desktop
ID: 93837cf5-3fa5-4ef6-b524-ffe0f864d998
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=npipe://\\.\pipe\docker_cli
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile
Diagnostics ID
209F3B5D-7998-4AF9-89BD-2F6C742F405B/20240705160933
Additional Info
No response
I see that the tag kind/docs has been added but i wonder is it that correct tag, IMHO it sound like it a bug in the docker desktop on windows that doesn't mount the secret with the correct permission.
To add some context, i try to use the container has "devcontainer" and my stack use laravel with the composer (dependency manager) and one of our package require to clone a repo from bitbucket using our ssh key, that's what prompted me to try to use the secrets mecanism of docker.