Can't use docker compose and sops together

Question

Can't use docker compose and sops together

AdoPi opened this issue 4 months ago · 3 comments

AdoPi commented 4 months ago

I can't use docker compose and sops together, I don't know why

sops exec-file file.env "docker compose --env-file {} up -d"

hangs forever, but this works:

sops exec-file file.env "cat {}"

I've tried to use Podman instead of Docker and it worked, I need to use Docker not Podman.

Does anyone know what is going on?

Answer 1 · 2024-03-24T15:53:48.000Z

This is very strange indeed, it was baffling me as well (I even figured out which exact line of Docker Compose it's hanging in: https://github.com/docker/compose/blob/3371227794f5f3645f4f19829c60a741635ed329/cmd/compose/compose.go#L605), when I finally realized what's happening:

Instead of writing the secrets on disk, sops exec-file uses a FIFO (unless you specify --no-fifo), also known as named pipe. The downside is that you can only read that file once. Apparently Compose tries to read it multiple times, which results in Compose hanging when trying to read it again.

If you simply add --no-fifo, it works fine: sops exec-file --no-fifo file.env "docker compose --env-file {} up -d"

Answer 2 · 2024-03-24T16:10:02.000Z

I created a bug in the Compose repo: docker/compose#11656 It would be nice if a named pipe could be used instead of having to write the decrypted file on disk.

Answer 3 · 2024-03-24T19:12:59.000Z

Thanks a lot for your detailed answer!