Search code examples
docker-swarm

Is there a way to specify the UID of secrets when using Docker Swarm with the sysbox runtime

I am trying to use Docker Swarm with the sysbox runtime. For one of my services I want to set the UID for a secret mount:

services:
  service1:
    secrets:
      - source: secretname
        uid: "1234"

This used to work with the normal Docker runtime. It does however, not have any effect when using the sysbox runtime. The secret is mounted as user 'nobody'. I assume this is because of sysbox using ID-mapped mounts.

Is there still a way to specify uid, gid and mode for secret mounts when using sysbox?

Solution

  • (answering my own question after getting help from Cesar Talledo via the Nestybox-Support Slack workspace)

    Secrets are mounted in a tmpfs filesystem. Running findmnt confirms this:

    ├─/run/secrets/secret_name     tmpfs[/te7tlwvwcrcyska47ga4vaj8i]             tmpfs    ro,relatime

    Sysbox tries to use idmapped-mounts on top of that tmpfs mount, but idmapped-mounts are not supported on tmpfs until kernel 6.3+. I am using WSL2 with a kernel version of 5.15.

    To get configurable UIDs to work you either need to:

    • Upgrade the kernel to 6.3+
    • Use the shiftfs kernel module (which provides an alternative form of idmapping that works on tmpfs)

    As I am using WSL, both options do not seem to be possible right now:

    • Max kernel version of WSL2 at time of writing is 6.1
    • Installing out-of-tree kernel modules does not seem to be possible