cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon docker

The docker stack deploy command does not mount secrets correctly when a service spec is overridden

Open qoobic opened this issue 4 years ago • 2 comments

Description

When using docker stack deploy with multiple compose files overriding the same service spec, the secrets defined in the base spec are munged, at least in the case where the same secret (eg - foobar) is mounted to multiple target locations (ie - foobar --> /run/secrets/foobar1 and foobar --> /run/secrets/foobar2).

For information, I encountered this issue when creating a base configuration for a server and providing an override file with extra environment variables set depending on use-case, even without the override file modifying the secrets.

File: foobar.yml

version: '3.7'

services:
  foobar:
    image: nginx
    secrets:
      - source: foobar
        target: foobar1
      - source: foobar
        target: foobar2

secrets:
  foobar:
    file: foobar.secret

File: foobar-extend.yml

version: '3.7'

services:
  foobar:
    environment:
      HELLO: WORLD

File: foobar.secret

foobar

Steps to reproduce the issue:

  1. Create files as specified above.
  2. Run docker stack deploy -c foobar.yml -c foobar-extend.yml foobar.
  3. Run docker service inspect foobar_foobar | jq -r ".[0].Spec.TaskTemplate.ContainerSpec.Secrets" to evaluate the secrets mounted onto the service.

Describe the results you received:

The secret foobar is only mounted into one of the two locations.

[
  {
    "File": {
      "Name": "foobar2",
      "UID": "0",
      "GID": "0",
      "Mode": 292
    },
    "SecretID": "7szqcfqgk62xwy4j4r7ldi92k",
    "SecretName": "foobar_foobar"
  }
]

Describe the results you expected:

The secret foobar should be mounted into both /run/secrets/foobar1 and /run/secrets/foobar2

Additional information you deem important (e.g. issue happens only occasionally):

I have Swarm mode active, I have not tried the same test with Swarm mode inactive.

Output of docker version:

Client:
 Version:           19.03.6-ce
 API version:       1.40
 Go version:        go1.13.4
 Git commit:        369ce74
 Built:             Fri May 29 04:01:26 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          19.03.6-ce
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.4
  Git commit:       369ce74
  Built:            Fri May 29 04:01:57 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.2
  GitCommit:        ff48f57fc83a8c44cf4ad5d672424a98ba37ded6
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Additional environment details (AWS, VirtualBox, physical, etc.):

AWS Workspace

qoobic avatar Nov 18 '20 17:11 qoobic

@thaJeztah I would love to work on this, Please provide pointers and input on how to work on it, Thanks.

adeniyistephen avatar Nov 23 '20 10:11 adeniyistephen

+1 bug exists If you add/update/remove secrets (for ex. by using secret name feature in compose file), service does not get updated configuration from compose file (when using docker stack deploy) - had to kill and recreate service manually.

thefex avatar Jul 04 '22 15:07 thefex