postgres icon indicating copy to clipboard operation
postgres copied to clipboard
verified publisher icon docker-library

Container in Ubuntu aarch64 machine cannot use Docker Secrets feature

Open frouyang opened this issue 9 months ago ā€¢ 2 comments

I once built a postgres container in an Ubuntu x86_64 machine, and everything's fine. Yet when I tried to build the container with the same commands in an Ubuntu aarch64 machine, it failed.

The commands are:

docker volume create pgdata
docker create --name=mydb -e POSTGRES_DB=wiki -e POSTGRES_USER=wiki -e POSTGRES_PASSWORD_FILE=/etc/wiki/.db-secret -v /etc/wiki/.db-secret:/etc/wiki/.db-secret:ro -v pgdata:/var/lib/postgresql/data --restart=unless-stopped -h db --network=wikinet postgres:17
docker start mydb

Using docker ps command to check the container status, will show the following :

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES bad868f86f56 postgres:17 "docker-entrypoint.sā€¦" 30 seconds ago Restarting (1) Less than a second ago mydb

Then debug using docker logs mydb command, it shows :

Error: Database is uninitialized and superuser password is not specified. You must specify POSTGRES_PASSWORD to a non-empty value for the superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".

   You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
   connections without a password. This is *not* recommended.

   See PostgreSQL documentation about "trust":
   https://www.postgresql.org/docs/current/auth-trust.html

Then I modify the commands, using POSTGRES_PASSWORD instead of POSTGRES_PASSWORD_FILE, and it works. I checked postgres:17, postgres:16, postgres:15, and they had the same error.

frouyang avatar May 08 '25 07:05 frouyang

Are you certain that /etc/wiki/.db-secret exists on the new host? If it doesn't, then with -v Docker will auto-create it as a directory, which will then have surprising behavior inside the container (that's expecting it to be a file). You can double check this with ls -ld /etc/wiki/.db-secret as your container command and on the host. I'd also suggest switching from -v to the more verbose --mount flag, which avoids this behavior (although if your -v already created the directory, it obviously won't fix that for you šŸ˜…).

tianon avatar May 08 '25 17:05 tianon

Are you certain that /etc/wiki/.db-secret exists on the new host? If it doesn't, then with -v Docker will auto-create it as a directory, which will then have surprising behavior inside the container (that's expecting it to be a file). You can double check this with ls -ld /etc/wiki/.db-secret as your container command and on the host. I'd also suggest switching from -v to the more verbose --mount flag, which avoids this behavior (although if your -v already created the directory, it obviously won't fix that for you šŸ˜…).

Yes. I created this file with this command

openssl rand -base64 32 > /etc/wiki/.db-secret

And checked to confirm that it contained the correct character. I even tried to hand write a password in this file, and it behaved same.

The response of ls -ld /etc/wiki/.db-secret is : -rw-rw-r-- 1 root root 16 May 7 23:45 /etc/wiki/.db-secret

frouyang avatar May 09 '25 03:05 frouyang