Skip to content

publishreject compose file with bind mounts #12601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 4, 2025
Merged

publishreject compose file with bind mounts #12601

merged 1 commit into from
Mar 4, 2025

Conversation

ndeloof
Copy link
Contributor

@ndeloof ndeloof commented Mar 4, 2025

What I did
publish reject compose file with bind mounts
Compose file author should rely on volumes to prevent consumer to expose personal data to a potentially untrusted compose stack

Related issue
https://docker.atlassian.net/browse/APCLI-878

(not mandatory) A picture of a cute animal, if possible in relation to what you did
@ndeloof ndeloof requested a review from a team as a code owner March 4, 2025 14:54
@ndeloof ndeloof requested a review from glours March 4, 2025 14:54
glours
glours reviewed Mar 4, 2025
View reviewed changes
pkg/compose/publish.go Outdated
for _, config := range project.Services {
for _, volume := range config.Volumes {
if volume.Type == types.VolumeTypeBind {
return false, errors.New("cannot publish a compose file relying on bind-mount. You should use volumes")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could let the user know which service has a bind mount declared, no?
@ndeloof
reject compose file with bind mounts
3d66451 
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
@ndeloof ndeloof force-pushed the publish_bind_mount branch from 7f499dc to 3d66451 Compare March 4, 2025 15:01
@glours glours enabled auto-merge (rebase) March 4, 2025 15:05
@glours glours merged commit 4c2ecb5 into docker:main Mar 4, 2025
25 checks passed
@ndeloof ndeloof deleted the publish_bind_mount branch March 4, 2025 15:13
@BrewTestBot BrewTestBot mentioned this pull request Mar 14, 2025
Merged
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Mar 26, 2025
@tmeijn
build(deps): update docker/compose to v2.34.0
c5beb6b 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/compose](https://github.com/docker/compose) | minor | `v2.33.1` -> `v2.34.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>docker/compose (docker/compose)</summary>

### [`v2.34.0`](https://github.com/docker/compose/releases/tag/v2.34.0)

[Compare Source](docker/compose@v2.33.1...v2.34.0)

#### What's Changed

##### ✨ Improvements

-   Support refresh pull policy by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12568
-   Introduced `include` to filter files considered by `watch` by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12584
-   Introduced `--env-from-file` in `docker compose run` command by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12626
-   Make `publish` a regular command of Compose by [@&#8203;glours](https://github.com/glours) in docker/compose#12629

##### 🐛 Fixes

-   Build: only print COMPOSE_BAKE recommendation when disabled by [@&#8203;emersion](https://github.com/emersion) in docker/compose#12572
-   Improve message suggesting using bake by [@&#8203;glours](https://github.com/glours) in docker/compose#12612
-   Fixed service: reference in additional_contexts for builds without bake by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12582
-   Block the publication of an OCI artifact if one or more services contain only a build section by [@&#8203;glours](https://github.com/glours) in docker/compose#12597
-   Display the location of OCI or GIT Compose stack download by [@&#8203;glours](https://github.com/glours) in docker/compose#12595
-   Refuse to publish compose file with local include by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12600
-   `publish`reject compose file with bind mounts by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12601
-   Display interpolation variables and their values when running a remote stack by [@&#8203;glours](https://github.com/glours) in docker/compose#12604
-   Publish compose file with required siblings used by `extends` by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12606
-   Add warning message when a remote configuration include an another remote config by [@&#8203;glours](https://github.com/glours) in docker/compose#12610
-   Only load env_file after services have been selected by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12611
-   Deprecate --y, prefer --yes by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12623
-   Use Defang secret-detector to identify potential secret leaks before publishing OCI artifacts by [@&#8203;glours](https://github.com/glours) in docker/compose#12620

##### 🔧  Internal

-   Link to configuration file docs by [@&#8203;andrew-kramer](https://github.com/andrew-kramer) in docker/compose#12559
-   Otel attribute to track builder implementation selected by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12586
-   Test version command by [@&#8203;maxproske](https://github.com/maxproske) in docker/compose#12576
-   Implement extends.file replace without yqlib by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12615
-   Add `cli.isatty` attribute to spans generated by compose by [@&#8203;landism](https://github.com/landism) in docker/compose#12630
-   Condense output of `compose top` by [@&#8203;dmke](https://github.com/dmke) in docker/compose#12628

##### ⚙️ Dependencies

-   Require go `1.23`|`1.24` (stable) by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12571
-   Build(deps): bump tags.cncf.io/container-device-interface from 0.8.0 to 0.8.1 by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12583
-   Build(deps): bump github.com/google/go-cmp from `0.6.0` to `0.7.0` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12578
-   Build(deps): bump github.com/docker/cli from `28.0.0+incompatible` to `28.0.1+incompatible` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12590
-   Build(deps): bump github.com/docker/docker from `28.0.0+incompatible` to `28.0.1+incompatible` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12591
-   Build(deps): bump github.com/docker/buildx from `0.21.1` to `0.21.2` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12598
-   Build(deps): bump github.com/opencontainers/image-spec from `1.1.0` to `1.1.1` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12599
-   Build(deps): bump golang.org/x/sync from `0.11.0` to `0.12.0` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12607
-   Build(deps): bump google.golang.org/grpc from `1.70.0` to `1.71.0` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12603
-   Build(deps): bump golang.org/x/sys from `0.30.0` to `0.31.0` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12608
-   Build(deps): bump github.com/moby/buildkit from `0.20.0` to `0.20.1` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12609
-   Build(deps): bump tags.cncf.io/container-device-interface from `0.8.1` to `1.0.0` by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12617
-   Bump compose-go to version `v2.4.9` by [@&#8203;glours](https://github.com/glours) in docker/compose#12633

#### New Contributors

-   [@&#8203;emersion](https://github.com/emersion) made their first contribution in docker/compose#12572
-   [@&#8203;andrew-kramer](https://github.com/andrew-kramer) made their first contribution in docker/compose#12559
-   [@&#8203;landism](https://github.com/landism) made their first contribution in docker/compose#12630
-   [@&#8203;dmke](https://github.com/dmke) made their first contribution in docker/compose#12628

**Full Changelog**: docker/compose@v2.33.1...v2.34.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMTMuNSIsInVwZGF0ZWRJblZlciI6IjM5LjIxMy41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@ndeloof @glours