docker
[BUG] regression in compose secrets handling for include files between versions Docker version 26.1.4, build 5650f9b and 27.1.1, build 6312585
Description
After upgrading docker desktop for mac from 4.31.0 (153195) to version 4.33.0 (160616) our compose based (development) setup stopped working with secrets.one-token Additional property content is not allowed and similar errors, when compose file using secret is included from another file. We are using ARM Mac on macOS Sonoma 14.5.
Steps To Reproduce
create two compose files in peer directories one and two:
one/compose.yml:
name: one
services:
one:
image: busybox:latest
command: ["sh", "-c", "cat /run/secrets/one-secret-token"]
platform: linux/amd64
secrets:
- one-secret-token
secrets:
one-secret-token:
environment: "access_token"
(this configuration is valid according to docker compose config --quiet (exit 0) and starts if provided environment value without a problem:
access_token='secret value 1' docker compose up --force-recreate
[+] Running 1/0
✔ Container one-one-1 Recreated 0.0s
Attaching to one-1
one-1 | secret value 1
one-1 exited with code 0
Follow by creating in peer folder (two/compose.yml):
name: two
include:
- ../one/compose.yml
services:
two:
depends_on:
one:
condition: service_completed_successfully
image: busybox:latest
command: ["sh", "-c", "ls -al /run/secrets"]
platform: linux/amd64
this will also pass validation docker compose config --quiet is still zero. but attempt to start it $ access_token=access_token='secret value 2' docker compose up --force-recreate will result in exit status code 15 with message:
validating /Users/ervin/sandbox/compose-env-secrets-repro/two/compose.yml: secrets.one-secret-token Additional property content is not allowed
We did validate that on older docker desktop (4.31.0 (153195), Docker version 26.1.4, build 5650f9b) this works as expected, but (Docker Desktop 4.33.0 (160616) is not working anymore.
Compose Version
$ docker compose version
Docker Compose version v2.29.1-desktop.1
$ docker-compose version
Docker Compose version v2.29.1-desktop.1
$ docker context show
default
Docker Environment
$ docker info
Client:
Version: 27.1.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.16.1-desktop.1
Path: /Users/ervin/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.1-desktop.1
Path: /Users/ervin/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.34
Path: /Users/ervin/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Alpha) (Docker Inc.)
Version: v0.0.14
Path: /Users/ervin/.docker/cli-plugins/docker-desktop
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.2
Path: /Users/ervin/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.25
Path: /Users/ervin/.docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.5
Path: /Users/ervin/.docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.3.0
Path: /Users/ervin/.docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/ervin/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.11.0
Path: /Users/ervin/.docker/cli-plugins/docker-scout
Server:
Containers: 7
Running: 3
Paused: 0
Stopped: 4
Images: 129
Server Version: 27.1.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
cgroupns
Kernel Version: 6.10.0-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 10
Total Memory: 7.655GiB
Name: docker-desktop
ID: 5eeb43b1-0755-4379-88de-886726381b20
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/ervin/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: daemon is not using the default seccomp profile
Anything else?
one click reproduction, execute following as bash script:
#!/usr/bin/env bash
set -euxo pipefail
docker --version
demo_dir="$(mktemp -d)"
pushd "${demo_dir}"
mkdir one
pushd one
cat - <<COMPOSE_ONE > compose.yml
name: one
services:
one:
image: busybox:latest
command: ["sh", "-c", "cat /run/secrets/one-secret-token"]
platform: linux/amd64
secrets:
- one-secret-token
secrets:
one-secret-token:
environment: "access_token"
COMPOSE_ONE
docker compose config
echo "one, passed config validation check"
access_token="secret_value" docker compose up --detach
docker compose logs --follow
popd
# Now add second compose file linking to first one:
mkdir two
pushd two
cat - <<COMPOSE_TWO > compose.yml
name: two
include:
- ../one/compose.yml
services:
two:
depends_on:
one:
condition: service_completed_successfully
image: busybox:latest
command: ["sh", "-c", "ls -al /run/secrets"]
platform: linux/amd64
COMPOSE_TWO
docker compose config
echo "two, passed config validation check"
access_token="secret_value2" docker compose up
echo "All done"
popd
@ervin-pactum thank you for the details! pushed fix https://github.com/compose-spec/compose-go/pull/669 , @ndeloof check please
Bump, is there any problem to reproduce, or any other reason why this is still https://github.com/docker/compose/labels/status%2F0-triage ?
Bump, I am running into the same problem. When moving the secret definition one to one into the main file, the file is valid, but in the included file it is not. My composefile also validates properly if the environment variable in the secret does not exist
Also the PR seems only mildly related.
Bump, It makes me downgrade Docker too often these days and creates a feeling that I am using a third party plugin of Docker not a Docker core product. Three minor versions with no fix nor addressing of problem 😞.
Open to provide more examples, but I feel that upper post is explaining extremely well.
The fix is here https://github.com/compose-spec/compose-go/pull/669 , waiting for review/approve from @ndeloof
The fix is here compose-spec/compose-go#669 , waiting for review/approve from @ndeloof
This is a regression, therefore to my knowledge a good fix would find the commit where the bug started occurring and revert that change.
@mTsBucy1 regression was introduced by a commit which is a fix for another issue. Considering a "revert on bug" strategy would prevent we move forward with Compose codebase, and is a pretty naive approach to software engineering imho
@ndeloof what do you think about this fix https://github.com/compose-spec/compose-go/pull/669 ? I can try to fix it using other ways if you don't like this one
@idsulik sounds good to me, I don't think we have a better option with current compose-go architecture.