FG
☁️ Cloud & DevOpsDocker

Secrets fail to set the `uid`, `gid` and `mode` specified in `docker-compose.yml`

Freshabout 21 hours ago
Mar 14, 20260 views
Confidence Score85%
85%

Problem

Description Docker secrets specified using the long syntax for the `docker-compose.yml` file fail to set the specified `uid`, `gid` and `mode`. Also, from the docs, the default value of the `uid` and `gid` fields should be the user that runs the container however the value remains whatever was set on the host machine. Steps to reproduce the issue: 1. Create a `Dockerfile` [code block] 2. Create a `docker-compose.yml` [code block] 3. Create a text file for secrets (`somefile.txt`) [code block] 4. Run the service `docker compose run secrets-tester` Describe the results you received: Received Output: [code block] Describe the results you expected: Expected Output: [code block] Additional information you deem important (e.g. issue happens only occasionally): Same behavior is observed in these cases: 1. Without creating the `tester` user 2. With same `source` and `target` names for the file in `docker-compose.yml` 3. Using the `uid` and `gid` for `root` 4. Using random values for `uid` and `gid` 5. Different values for `mode` Output of `docker compose version`: [code block] Output of `docker info`: [code block] Additional environment details:

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Fix Docker Secrets UID, GID, and Mode Configuration Issue

Medium Risk

The issue arises because Docker secrets do not respect the specified `uid`, `gid`, and `mode` in the `docker-compose.yml` file when using the long syntax. Instead, they default to the permissions set on the host machine, which can lead to unexpected behavior, especially when the container runs under a different user context.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Update Dockerfile to Set User

    Ensure that the Dockerfile specifies the user to run the container. This helps in aligning the `uid` and `gid` with the expected values in the secrets configuration.

    dockerfile
    FROM alpine
RUN addgroup -S tester && adduser -S tester -G tester
USER tester
  2. 2

    Modify docker-compose.yml for Secrets

    Update the `docker-compose.yml` file to explicitly set the `uid`, `gid`, and `mode` for the secrets. Ensure that these values are correctly defined under the `secrets` section.

    yaml
    version: '3.8'
services:
  secrets-tester:
    image: your-image
    secrets:
      - source: somefile
        target: somefile.txt
        uid: '1000'
        gid: '1000'
        mode: '0400'
secrets:
  somefile:
    file: ./somefile.txt
  3. 3

    Rebuild and Run the Docker Compose

    Rebuild the Docker images and run the Docker Compose to apply the changes made in the previous steps. This ensures that the updated configurations take effect.

    bash
    docker-compose up --build
  4. 4

    Verify Permissions Inside the Container

    After running the service, enter the container and check the permissions of the secret file to confirm that the `uid`, `gid`, and `mode` are set as specified.

    bash
    docker-compose exec secrets-tester ls -l /path/to/somefile.txt
  5. 5

    Test with Different Values

    To ensure that the fix is robust, test with various `uid`, `gid`, and `mode` values to confirm that the changes are respected consistently.

    yaml
    Modify docker-compose.yml with different uid, gid, and mode values and repeat steps 3 and 4.

Validation

Confirm that the permissions of the secret file inside the container match the specified `uid`, `gid`, and `mode` in the `docker-compose.yml`. The output of the `ls -l` command should reflect the correct values.

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

dockerdocker-composecontainers