I am puzzled about the odd behavior of docker + compose (in a swarm environnement) when using config.
Basically, I have this setup :
version: '3.6'
configs:
users777.xml:
file: "./users.xml"
users666.xml:
file: "./users.xml"
users644.xml:
file: "./users.xml"
users444.xml:
file: "./users.xml"
users400.xml:
file: "./users.xml"
services:
ubuntu:
image: ubuntu:18.04
configs:
- source: users777.xml
target: /app/geoserver/data/security/usergroup/default/users777.xml
uid: '10000'
gid: '10000'
mode: 777
- source: users666.xml
target: /app/geoserver/data/security/usergroup/default/users666.xml
uid: '10000'
gid: '10000'
mode: 666
- source: users644.xml
target: /app/geoserver/data/security/usergroup/default/users644.xml
uid: '10000'
gid: '10000'
mode: 644
- source: users444.xml
target: /app/geoserver/data/security/usergroup/default/users444.xml
uid: '10000'
gid: '10000'
mode: 444
- source: users400.xml
target: /app/geoserver/data/security/usergroup/default/users400.xml
uid: '10000'
gid: '10000'
mode: 400
command: tail -F anything
I expected the "mode" to be the exact result within the resulting container... I thus started the stack (docker stack deploy...)... and noticed it was not :
root@2af60b451971:/app/geoserver/data/security/usergroup/default# ll
total 28
-rw--w---- 1 10000 10000 285 Dec 18 15:26 users400.xml
-rw-rwxr-- 1 10000 10000 285 Dec 18 15:26 users444.xml*
--w----r-- 1 10000 10000 285 Dec 18 15:26 users644.xml
--w--wx-w- 1 10000 10000 285 Dec 18 15:26 users666.xml*
-r----x--x 1 10000 10000 285 Dec 18 15:26 users777.xml*
Some pieces of information that my help :
- The umask (provided it is part of the problem) inside the container is "0022".
- I have tried to change the source file (./users.xml) rights from 444 to 666, up to 777 : no changes here
- the directory within the container does not exist, and is thus created by the config set up.
- Docker version 19.03.6, build 369ce74a3c
- docker-compose version 1.21.0, build unknown
- I have tried it on 2 different hosts, with same result : Ubuntu 19.10 and RHEL 7.4
- the container runs as "root", but I also tried with a container running as user 10000 with same result
The doc does not seem to answer the "why" here (or not in a way I understand).
This may be obvious, but that I may need some explanation here. Anyone?
Actualy it works correct, if you add a leading 0 to the mode values:
I corrected the modes of your compose.yml and deployed it as stack "config". The permission mask is as expected:
Though, bare in mind that configs and secrets are always mounted as read-only!