terraform-provider-docker
terraform-provider-docker copied to clipboard
kreuzwerker
service secret/config file_mode interpreted as decimal instead of octal
This issue was originally opened by @tomalok as https://github.com/hashicorp/terraform-provider-docker/issues/247. It was migrated here as a result of the community provider takeover from @kreuzwerker. The original body of the issue is below.
Terraform Version
Terraform v0.12.23
provider.docker: version = "~> 2.7" (v2.7.0)
Affected Resource(s)
Please list the resources as a list, for example:
docker_service
Terraform Configuration Files
resource "docker_service "foo" {
...
task_spec {
...
container_spec {
secrets {
secret_id =
secret_id = "..."
secret_name = "foo_pw__1"
file_name = "/run/secrets/foo_pw"
file_uid = "100"
file_gid = "101"
file_mode = "0440"
}
}
}
}
Plan Output
secrets {
file_gid = "101"
file_mode = 440
file_name = "/run/secrets/foo_pw"
file_uid = "100"
secret_id = "..."
secret_name = "foo_pw__1"
}
Expected Behavior
file_mode probably should have remained a string "0440" or have been converted from octal to decimal.
https://docs.docker.com/engine/reference/commandline/service_create/#create-a-service-with-secrets indicates that the secret's and config's mode= value should be a 4-number sequence, and explicitly shows a leading 0.
Actual Behavior
The integer 440 was used as the file_mode value, which corresponds to 0670 octal -- which is not the correct.
It's also interesting to note that file_gid and file_uid get preserved as strings, but file_mode does not.
Temporary Workaround
Using a decimal value (i.e. 288 instead of 0440) does the trick -- but this is counter-intuitive with the firmly-entrenched decades-old tradition of specifying mode in octal.
This issue is stale because it has been open 60 days with no activity.
Remove stale label or comment or this will be closed in 7 days.
If you don't want this issue to be closed, please set the label pinned.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I could reproduce the problem.
$ terraform version
Terraform v0.14.9
+ provider registry.terraform.io/kreuzwerker/docker v2.11.0
terraform {
required_providers {
docker = {
source = "kreuzwerker/docker"
version = "2.11.0"
}
}
}
provider "docker" {
}
resource "docker_service" "foo" {
name = "foo-service"
task_spec {
container_spec {
image = "nginx"
configs {
config_id = docker_config.service_config.id
config_name = docker_config.service_config.name
file_name = "/configs.json"
file_mode = "0440"
}
}
}
}
resource "docker_config" "service_config" {
name = "tftest-full-myconfig"
data = "ewogICJwcmVmaXgiOiAiMTIzIgp9"
}
$ terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# docker_config.service_config will be created
+ resource "docker_config" "service_config" {
+ data = (sensitive value)
+ id = (known after apply)
+ name = "tftest-full-myconfig"
}
# docker_service.foo will be created
+ resource "docker_service" "foo" {
+ id = (known after apply)
+ name = "foo-service"
+ endpoint_spec {
+ mode = (known after apply)
+ ports {
+ name = (known after apply)
+ protocol = (known after apply)
+ publish_mode = (known after apply)
+ published_port = (known after apply)
+ target_port = (known after apply)
}
}
+ labels {
+ label = (known after apply)
+ value = (known after apply)
}
+ mode {
+ global = (known after apply)
+ replicated {
+ replicas = (known after apply)
}
}
+ task_spec {
+ force_update = (known after apply)
+ restart_policy = (known after apply)
+ runtime = (known after apply)
+ container_spec {
+ image = "nginx"
+ isolation = "default"
+ stop_grace_period = (known after apply)
+ configs {
+ config_id = (known after apply)
+ config_name = "tftest-full-myconfig"
+ file_gid = "0"
+ file_mode = 440
+ file_name = "/configs.json"
+ file_uid = "0"
}
+ dns_config {
+ nameservers = (known after apply)
+ options = (known after apply)
+ search = (known after apply)
}
+ healthcheck {
+ interval = (known after apply)
+ retries = (known after apply)
+ start_period = (known after apply)
+ test = (known after apply)
+ timeout = (known after apply)
}
}
+ placement {
+ constraints = (known after apply)
+ max_replicas = (known after apply)
+ prefs = (known after apply)
+ platforms {
+ architecture = (known after apply)
+ os = (known after apply)
}
}
+ resources {
+ limits {
+ memory_bytes = (known after apply)
+ nano_cpus = (known after apply)
+ generic_resources {
+ discrete_resources_spec = (known after apply)
+ named_resources_spec = (known after apply)
}
}
+ reservation {
+ memory_bytes = (known after apply)
+ nano_cpus = (known after apply)
+ generic_resources {
+ discrete_resources_spec = (known after apply)
+ named_resources_spec = (known after apply)
}
}
}
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
docker_config.service_config: Creating...
docker_config.service_config: Creation complete after 0s [id=oty559fret6tso86voqzbvn9w]
docker_service.foo: Creating...
docker_service.foo: Creation complete after 9s [id=1gsgmzsl31kv4ti046nz6l7is]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
+ configs {
+ config_id = (known after apply)
+ config_name = "tftest-full-myconfig"
+ file_gid = "0"
+ file_mode = 440
+ file_name = "/configs.json"
+ file_uid = "0"
}
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
47da7f8c35a8 nginx:latest "/docker-entrypoint.…" 30 seconds ago Up 29 seconds 80/tcp foo-service.1.bx3u1h8z0c96q3z33qw1sukgy
$ docker exec 47da7f8c35a8 ls -lh /configs.json
-rw-rwx--- 1 root root 21 Mar 30 00:06 /configs.json
The permission of /configs.json is not 0440 but -rw-rwx--- (0670).
This issue is stale because it has been open 60 days with no activity.
Remove stale label or comment or this will be closed in 7 days.
If you don't want this issue to be closed, please set the label pinned.
confirmed that this is still broken with the latest terraform & latest docker provider...
jake@jimini mode % terraform version
Terraform v0.15.4
on darwin_amd64
+ provider registry.terraform.io/kreuzwerker/docker v2.12.2
This issue is stale because it has been open 60 days with no activity.
Remove stale label or comment or this will be closed in 7 days.
If you don't want this issue to be closed, please set the label pinned.