Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update config/secret handling: Copy files into containers instead of bind mounting #11984

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

schaubl
Copy link

@schaubl schaubl commented Jul 16, 2024

Currently, Docker Compose copies a config or secret into the container if the source is an environment variable or inlined content. However, if the source is a file, the file is bind mounted into the container. This approach fails when Docker Compose is invoked on a different filesystem than the Docker daemon host filesystem (e.g., when called from within a container or remotely using the -H option).

This PR changes the behavior for file-based config/secret sources to match the handling of environment variables and inlined content. Specifically, it reads the file from the filesystem where Docker Compose is executed (like Docker Stack) and copies it into the container.

This update enhances the functionality of Docker Compose when run "remotely," providing the ability to push configuration files, a feature previously available only with Docker Stack/Swarm.

What I did:

  • Updated the behavior for handling configs and secrets sourced from files.
  • Ensured consistency with the documentation and the behavior of Docker Stack.
  • Enabled Docker Compose to push configuration files when run remotely, aligning with Docker Stack/Swarm capabilities.

@schaubl
Copy link
Author

schaubl commented Jul 17, 2024

I realized that this PR is a duplicate of #11871.

I think the PR #11871 could benefit from the changes in the file pkg/compose/create.go made in this PR.
It basically keeps some checks and adds a preflight check to ensure the file used as the source for config/secret can be accessed so that if it's not the case it will fail before creating the container.

I will also add this suggestion in a comment on #11871.

Copy link
Contributor

@ndeloof ndeloof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One challenge we need to address here is that we have some users who rely on bind mounts being used. While a simple workaround is for them to declare an explicit bind mount, this would still be a breaking change.

}
content = env
} else if file.File != "" {
data, err := os.ReadFile(file.File)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

file can actually be a folder. Need to change logic here to produce tar, not just extract content

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants