docker
Secrets not working on Windows (can´t bind .netrc)
Description
I'm trying to bind my .netrc file in my user folder in windows as a secret for my images. But whatever I try I cannot get it to work.
docker-compose.yml
version: "3.9"
services:
app:
build:
context: .
dockerfile: ./Dockerfile
restart: always
depends_on:
- app2
secrets:
- source: myfile
target: /.netrc
app2:
image: hello-world:latest
restart: always
secrets:
myfile:
file: c:/Users/AndreJohansson/.netrc
Dockerfile
# syntax = docker/dockerfile:1.0-experimental
FROM hello-world:latest
RUN -mount=type=secret,id=myfile cat /.netrc
CMD ["/hello"]
Steps to reproduce the issue:
Using powershell core
- Run cat to verify file path and contents:
cat c:/Users/AndreJohansson/.netrc - Set buildkit (seems necessary according to some comments):
$env:DOCKER_BUILDKIT=1 - Using the files mentioned above, run:
docker-compose -f docker-compose.yml up --build
Describe the results you received:
I get an error saying that the file does not exist:
#9 [2/2] RUN -mount=type=secret,id=myfile cat /.netrc
#9 sha256:4ac1a1e3724f30c7de36b11ee07f24a9dcc78548c3dbb748426a318a8105c1c3
#9 0.422 container_linux.go:380: starting container process caused: exec: "/bin/sh": stat /bin/sh: no such file or directory
#9 ERROR: executor failed running [/bin/sh -c -mount=type=secret,id=myfile cat /.netrc]: exit code: 1
------
> [2/2] RUN -mount=type=secret,id=myfile cat /.netrc:
------
failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c -mount=type=secret,id=myfile cat /.netrc]: exit code: 1
Describe the results you expected:
I expected /.netrc in the container to have the same contents as my host userprofile .netrc (c:/Users/AndreJohansson/.netrc).
Additional information you deem important:
- I have tried multiple paths (like
/root/.netrcand others) - I have tried both v1 (version 1.29.2, build 5becea4c) and v2 of docker compose
- I have tried both with and without the experimental line:
# syntax = docker/dockerfile:1.0-experimentalin the dockerfile - I have tried different versions of the docker-compose file (from 3.3 and up)
- I have tried running as administrator
- I have tried running in
cmdinstead of powershell core
Docker desktop versions
Version 4.5.1 (74721)
Engine: 20.10.12
Compose: v2.2.3
Credential Helper: 0.6.4
Kubernetes: v1.22.5
Snyk: v1.827.0
Output of docker compose version:
❯ docker compose version
Docker Compose version v2.2.3
❯ docker-compose --version
Docker Compose version v2.2.3
Output of docker info:
❯ docker info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.7.1)
compose: Docker Compose (Docker Inc., v2.2.3)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 36
Running: 33
Paused: 0
Stopped: 3
Images: 15
Server Version: 20.10.12
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc version: v1.0.2-0-g52b36a2
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 5.10.60.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 15.49GiB
Name: docker-desktop
ID: FV6V:VLCO:WKVR:IDKM:DPEJ:QYQB:PZZ4:7LEP:OTKT:V3EB:O3QX:BBUQ
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 157
Goroutines: 138
System Time: 2022-02-21T09:00:06.2850027Z
EventsListeners: 5
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5000
127.0.0.0/8
Live Restore Enabled: false
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
Additional environment details:
❯ systeminfo
OS Name: Microsoft Windows 11 Pro for Workstations
OS Version: 10.0.22000 N/A Build 22000
I'm having the same issue -- everything appears to run fine, but the file is not available for the build. I'm on MacOS 12.3. While the docs make this appear supported, these other issues make me think this isn't supported yet: #6358, #7046.
@bmorton if you are looking for the file after the build is completed then you won't find it. Secret is meant to be used only while building, and not in the final image.
To be precise, where ever docker sees a RUN --mount=type=secret,id=mysecret it mounts the file and unmounts it right before saving the layer. So it won't even available in the layer after the layer is saved to disk.
@anujith-singh I think you're wrong. He does RUN -mount=type=secret,id=myfile cat /.netrc, and the mount should be available to the cat.
I can reproduce this issue on Ubuntu 22.04/WSL2.
Only modification file: ~/.netrc (which does exist).
$ DOCKER_BUILDKIT=1 docker-compose build
app2 uses an image, skipping
Building app
[+] Building 2.6s (9/9) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 38B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> resolve image config for docker.io/docker/dockerfile:1.0-experimental 0.5s
=> CACHED docker-image://docker.io/docker/dockerfile:1.0-experimental@sha256:cbd6491240cc8894d25e366ba83da19df1187f975dc3a5c2f88ce888ca696174 0.0s
=> [internal] load .dockerignore 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 38B 0.0s
=> [internal] load metadata for docker.io/library/hello-world:latest 1.5s
=> CACHED [1/2] FROM docker.io/library/hello-world:latest@sha256:7d246653d0511db2a6b2e0436cfd0e52ac8c066000264b3ce63331ac66dca625 0.0s
=> => resolve docker.io/library/hello-world:latest@sha256:7d246653d0511db2a6b2e0436cfd0e52ac8c066000264b3ce63331ac66dca625 0.0s
=> ERROR [2/2] RUN -mount=type=secret,id=myfile cat /.netrc 0.3s
------
> [2/2] RUN -mount=type=secret,id=myfile cat /.netrc:
#8 0.325 runc run failed: unable to start container process: exec: "/bin/sh": stat /bin/sh: no such file or directory
------
executor failed running [/bin/sh -c -mount=type=secret,id=myfile cat /.netrc]: exit code: 1
ERROR: Service 'app' failed to build : Build failed
At time of writing, https://github.com/docker/compose/issues/6358, https://github.com/docker/compose/pull/7046. as mentioned by @bmorton are closed.
❯ docker-compose --version Docker Compose version v2.2.3
@andrejohansson try to upgrade to docker compose v2.5.0
I'm on 1.29.2, hence also failing.
@andrejohansson try to place the secret definition under the build definition as explained in #9822 That will make it a build secret instead of a runtime secret.
build:
...
secrets:
- source: myfile
target: /.netrc