docker-compose config : "mode" does not match permission within the container

Question

I am puzzled about the odd behavior of docker + compose (in a swarm environnement) when using config.

Basically, I have this setup :

version: '3.6'

configs:
   users777.xml:
     file: "./users.xml"
   users666.xml:
     file: "./users.xml"
   users644.xml:
     file: "./users.xml"
   users444.xml:
     file: "./users.xml"
   users400.xml:
     file: "./users.xml"


services:
   ubuntu:
     image: ubuntu:18.04
     configs:
     - source: users777.xml
       target: /app/geoserver/data/security/usergroup/default/users777.xml
       uid: '10000'
       gid: '10000'
       mode: 777
     - source: users666.xml
       target: /app/geoserver/data/security/usergroup/default/users666.xml
       uid: '10000'
       gid: '10000'
       mode: 666
     - source: users644.xml
       target: /app/geoserver/data/security/usergroup/default/users644.xml
       uid: '10000'
       gid: '10000'
       mode: 644
     - source: users444.xml
       target: /app/geoserver/data/security/usergroup/default/users444.xml
       uid: '10000'
       gid: '10000'
       mode: 444
     - source: users400.xml
       target: /app/geoserver/data/security/usergroup/default/users400.xml
       uid: '10000'
       gid: '10000'
       mode: 400
     command: tail -F anything

I expected the "mode" to be the exact result within the resulting container... I thus started the stack (docker stack deploy...)... and noticed it was not :

root@2af60b451971:/app/geoserver/data/security/usergroup/default# ll
total 28
-rw--w---- 1 10000 10000  285 Dec 18 15:26 users400.xml
-rw-rwxr-- 1 10000 10000  285 Dec 18 15:26 users444.xml*
--w----r-- 1 10000 10000  285 Dec 18 15:26 users644.xml
--w--wx-w- 1 10000 10000  285 Dec 18 15:26 users666.xml*
-r----x--x 1 10000 10000  285 Dec 18 15:26 users777.xml*

Some pieces of information that my help :

• The umask (provided it is part of the problem) inside the container is "0022".
• I have tried to change the source file (./users.xml) rights from 444 to 666, up to 777 : no changes here
• the directory within the container does not exist, and is thus created by the config set up.
• Docker version 19.03.6, build 369ce74a3c
• docker-compose version 1.21.0, build unknown
• I have tried it on 2 different hosts, with same result : Ubuntu 19.10 and RHEL 7.4
• the container runs as "root", but I also tried with a container running as user 10000 with same result

The doc does not seem to answer the "why" here (or not in a way I understand).

This may be obvious, but that I may need some explanation here. Anyone?

Answer 1

Actualy it works correct, if you add a leading 0 to the mode values:

400 -> 0400
444 -> 0444
644 -> 0644
666 -> 0666
777 -> 0777

I corrected the modes of your compose.yml and deployed it as stack "config". The permission mask is as expected:

me:~$ docker exec -ti $(docker ps -q --filter name=config_ubuntu) ls -l /app/geoserver/data/security/usergroup/default
total 20
-r-------- 1 10000 10000 5 Dec 19 21:06 users400.xml
-r--r--r-- 1 10000 10000 5 Dec 19 21:06 users444.xml
-rw-r--r-- 1 10000 10000 5 Dec 19 21:06 users644.xml
-rw-rw-rw- 1 10000 10000 5 Dec 19 21:06 users666.xml
-rwxrwxrwx 1 10000 10000 5 Dec 19 21:06 users777.xml

Though, bare in mind that configs and secrets are always mounted as read-only!