Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update config/secret handling: Copy files into containers instead of bind mounting #11984

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update config/secret handling: Copy files into containers instead of bind mounting #11984

wants to merge 1 commit into from
+64 −86

Conversation

schaubl
Copy link

@schaubl schaubl commented Jul 16, 2024

Currently, Docker Compose copies a config or secret into the container if the source is an environment variable or inlined content. However, if the source is a file, the file is bind mounted into the container. This approach fails when Docker Compose is invoked on a different filesystem than the Docker daemon host filesystem (e.g., when called from within a container or remotely using the -H option).

This PR changes the behavior for file-based config/secret sources to match the handling of environment variables and inlined content. Specifically, it reads the file from the filesystem where Docker Compose is executed (like Docker Stack) and copies it into the container.

This update enhances the functionality of Docker Compose when run "remotely," providing the ability to push configuration files, a feature previously available only with Docker Stack/Swarm.

What I did:

  • Updated the behavior for handling configs and secrets sourced from files.
  • Ensured consistency with the documentation and the behavior of Docker Stack.
  • Enabled Docker Compose to push configuration files when run remotely, aligning with Docker Stack/Swarm capabilities.

@schaubl schaubl force-pushed the fix-configs-secrets branch 3 times, most recently from ba3915c to c08e5c8 Compare July 16, 2024 11:54
@schaubl schaubl mentioned this pull request Jul 17, 2024
Open
@schaubl
Copy link
Author

schaubl commented Jul 17, 2024

I realized that this PR is a duplicate of #11871.

I think the PR #11871 could benefit from the changes in the file pkg/compose/create.go made in this PR.
It basically keeps some checks and adds a preflight check to ensure the file used as the source for config/secret can be accessed so that if it's not the case it will fail before creating the container.

I will also add this suggestion in a comment on #11871.

@schaubl schaubl mentioned this pull request Jul 17, 2024
Closed
ndeloof
ndeloof reviewed Sep 17, 2024
View reviewed changes
Copy link
Contributor

@ndeloof ndeloof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One challenge we need to address here is that we have some users who rely on bind mounts being used. While a simple workaround is for them to declare an explicit bind mount, this would still be a breaking change.

pkg/compose/secrets.go
}
content = env
} else if file.File != "" {
data, err := os.ReadFile(file.File)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

file can actually be a folder. Need to change logic here to produce tar, not just extract content

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndeloof ndeloof ndeloof left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@schaubl @ndeloof