I wasn't sure if this was the intended behaviour, but the mode option for configs and secrets may not actually result in what's specified, depending on the container's umask:
Steps to reproduce the issue:
Create a config and a secret;
echo "foo" | docker config create myconfig -
echo "foo" | docker secret create mysecret -
Create a service that uses those secrets, and sets mode to 0777;
docker service create \
--config source=myconfig,target=/hello/myconfig,mode=0777 \
--secret source=mysecret,target=/hello/mysecret,mode=0777 \
--name myservice \
nginx:alpine
Describe the results you received:
Observe that the permissions for both are 0755, not 0777:
docker exec myservice.1.1epd86ru6mgffjjy20i2ttesm ls -la /hello/
total 16
drwxr-xr-x 2 root root 4096 Jan 17 15:23 .
drwxr-xr-x 1 root root 4096 Jan 17 15:23 ..
-rwxr-xr-x 1 root root 4 Jan 17 15:23 myconfig
-rwxr-xr-x 1 root root 4 Jan 17 15:23 mysecret
The difference in permissions requested, and actual is explained by the umask inside the container;
docker exec myservice.1.1epd86ru6mgffjjy20i2ttesm sh -c 'umask'
0022
Also note that the writable bit is not very useful;
docker exec myservice.1.1epd86ru6mgffjjy20i2ttesm sh -c 'echo foo >> /hello/myconfig'
sh: can't create /hello/myconfig: Read-only file system
docker exec myservice.1.1epd86ru6mgffjjy20i2ttesm sh -c 'echo foo >> /hello/mysecret'
sh: can't create /hello/mysecret: Read-only file system
Describe the results you expected:
I expected the permissions to match the mode that was specified when creating the service, irregardless the umask inside the container.
Output of docker version:
Docker for Mac, but likely not relevant:
Client:
Version: 18.01.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: 03596f5
Built: Wed Jan 10 20:05:58 2018
OS/Arch: darwin/amd64
Experimental: true
Orchestrator: swarm
Server:
Engine:
Version: 18.01.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: 03596f5
Built: Wed Jan 10 20:13:12 2018
OS/Arch: linux/amd64
Experimental: true
I wasn't sure if this was the intended behaviour, but the
modeoption for configs and secrets may not actually result in what's specified, depending on the container's umask:Steps to reproduce the issue:
Create a config and a secret;
Create a service that uses those secrets, and sets
modeto0777;Describe the results you received:
Observe that the permissions for both are
0755, not0777:The difference in permissions requested, and actual is explained by the umask inside the container;
Also note that the
writablebit is not very useful;Describe the results you expected:
I expected the permissions to match the
modethat was specified when creating the service, irregardless theumaskinside the container.Output of
docker version:Docker for Mac, but likely not relevant: