Feature request: ability to use docker compose secrets with read only rootfs

[rickknowles-hikari]

Description

Hi,

cross posted from here as suggested by @meyay

Docker's read only rootfs option and the docker compose "mimic" of the swarm secrets feature are both excellent ways of securing containers, and I use them both wherever possible.

The trouble is they seem impossible to use together. I think the reason for this is that the set of secrets being exposed at the /run/secrets folder doesn't appear to be implemented as a faked-volume, rather they seem to be copied on creation when first launched into the rootfs. This results in rejecting of the copy attempt like this:

⠋ Container server-setup-redis-1 Creating
Error response from daemon: container rootfs is marked read-only

For reference, my compose looked like this:

services:
  redis:
    image: redis:latest
    read_only: true
    volumes:
      - /efs/data:/data
    ports: ["6379"]
    command: /bin/sh -c "redis-server --requirepass `cat /run/secrets/redis-password`"
    secrets:
      - redis-password
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "redis-cli --pass `cat /run/secrets/redis-password` ping | grep PONG",
        ]
      interval: 1s
      timeout: 1s
      retries: 200

secrets:
  redis-password:
    environment: REDIS_PASSWORD

I've tried adding tmpfs volume mounts to the /run/secrets location and /run location, but these don't have any effect either.

Would it be possible to either
a) allow tmpfs mounting underneath these secrets in /run/secrets or
b) switch the secrets exposing implementation to being a faked volume folder at /run/secrets

so they can be used in combination with read-only rootfs ? Please ?

Thank you

[ndeloof]

Closing as a duplicate for #12031