CODEWITHSUNDEEP
podmanpodman-compose
refriedjello
refriedjello

Reputation: 817

Unable to inject secret file into podman container using compose method - UID/GID issue

I am trying to inject a secret file into a container by way of a compose file. After running podman-compose the file exists within the container but the UID/GID settings are incorrect and I am unable to access the file.

Here is the testing snippet from my compose file for demonstration:

services:
  test-new_app:
    secrets:
      - source: id_rsa_pub
        target: /root/id_rsa.pub
...
secrets:
  id_rsa_pub:
    file: /home/refriedjello/.ssh/id_rsa.pub

Once inside the container these are the file stats:

app ~ # pwd
/root
app ~ # ls -altr | grep id_rsa.pub
ls: cannot access 'id_rsa.pub': Permission denied
-?????????? ? ?    ?       ?            ? id_rsa.pub

If I try to set the mode/uid/gid values under the secrets definition for that service in my compose file podman-compose returns this error:

WARNING: Service "test-new_app" uses secret "/root/id_rsa.pub" with uid, gid, or mode. These fields are not supported by this implementation of the Compose file

Here is the version of podman I am running:

$ podman -v
podman version 4.4.1

I don't understand the issue. In terms of supported fields for the compose file I am referencing this documentation:

https://github.com/compose-spec/compose-spec/blob/master/spec.md

Upvotes: 0

Views: 1468

Answers (1)

A. Binzxxxxxx
A. Binzxxxxxx

Reputation: 2881

I am quite sure the issue is with selinux labels. I did not find a way to add the z option like with volumes or get it working purely within the compose file.

I however found a way that is acceptable for me:

  services:
    test-new_app:
      secrets:
        - source: id_rsa_pub
          target: /root/id_rsa.pub
  ...
  secrets:
    id_rsa_pub:
      external: true

and created the secret by calling

podman secret create id_rsa_pub /home/refriedjello/.ssh/id_rsa.pub

Upvotes: 0

Related Questions