[BUG] regression in compose secrets handling for include files between versions Docker version 26.1.4, build 5650f9b and 27.1.1, build 6312585

[ervin-pactum]

Description

After upgrading docker desktop for mac from 4.31.0 (153195) to version 4.33.0 (160616) our compose based (development) setup stopped working with secrets.one-token Additional property content is not allowed and similar errors, when compose file using secret is included from another file. We are using ARM Mac on macOS Sonoma 14.5.

Steps To Reproduce

create two compose files in peer directories one and two:

one/compose.yml:

name: one

services:
  one:
    image: busybox:latest
    command: ["sh", "-c", "cat /run/secrets/one-secret-token"]
    platform: linux/amd64
    secrets:
      - one-secret-token

secrets:
  one-secret-token:
    environment: "access_token"

(this configuration is valid according to docker compose config --quiet (exit 0) and starts if provided environment value without a problem:

 access_token='secret value 1' docker compose up --force-recreate
[+] Running 1/0
 ✔ Container one-one-1  Recreated                                                                                      0.0s 
Attaching to one-1
one-1  | secret value 1
one-1 exited with code 0

Follow by creating in peer folder (two/compose.yml):

name: two

include:
  - ../one/compose.yml
services:
  two:
    depends_on:
      one:
        condition: service_completed_successfully
    image: busybox:latest
    command: ["sh", "-c", "ls -al /run/secrets"]
    platform: linux/amd64

this will also pass validation docker compose config --quiet is still zero. but attempt to start it $ access_token=access_token='secret value 2' docker compose up --force-recreate will result in exit status code 15 with message:
validating /Users/ervin/sandbox/compose-env-secrets-repro/two/compose.yml: secrets.one-secret-token Additional property content is not allowed

We did validate that on older docker desktop (4.31.0 (153195), Docker version 26.1.4, build 5650f9b) this works as expected, but (Docker Desktop 4.33.0 (160616) is not working anymore.

Compose Version

$ docker compose version
Docker Compose version v2.29.1-desktop.1
$ docker-compose version
Docker Compose version v2.29.1-desktop.1
$ docker context show
default

Docker Environment

$ docker info
Client:
 Version:    27.1.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.1-desktop.1
    Path:     /Users/ervin/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.1-desktop.1
    Path:     /Users/ervin/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.34
    Path:     /Users/ervin/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.14
    Path:     /Users/ervin/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/ervin/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/ervin/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/ervin/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/ervin/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/ervin/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.11.0
    Path:     /Users/ervin/.docker/cli-plugins/docker-scout

Server:
 Containers: 7
  Running: 3
  Paused: 0
  Stopped: 4
 Images: 129
 Server Version: 27.1.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.0-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 7.655GiB
 Name: docker-desktop
 ID: 5eeb43b1-0755-4379-88de-886726381b20
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/ervin/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Anything else?

one click reproduction, execute following as bash script:

#!/usr/bin/env bash
set -euxo pipefail

docker --version
demo_dir="$(mktemp -d)"
pushd "${demo_dir}"

mkdir one
pushd one
cat - <<COMPOSE_ONE > compose.yml
name: one

services:
  one:
    image: busybox:latest
    command: ["sh", "-c", "cat /run/secrets/one-secret-token"]
    platform: linux/amd64
    secrets:
      - one-secret-token

secrets:
  one-secret-token:
    environment: "access_token"
COMPOSE_ONE

docker compose config
echo "one, passed config validation check"
access_token="secret_value" docker compose up --detach
docker compose logs --follow
popd

# Now add second compose file linking to first one:
mkdir two
pushd two
cat - <<COMPOSE_TWO > compose.yml
name: two

include:
  - ../one/compose.yml
services:
  two:
    depends_on:
      one:
        condition: service_completed_successfully
    image: busybox:latest
    command: ["sh", "-c", "ls -al /run/secrets"]
    platform: linux/amd64
COMPOSE_TWO

docker compose config
echo "two, passed config validation check"
access_token="secret_value2" docker compose up
echo "All done"
popd

[idsulik]

@ervin-pactum thank you for the details! pushed fix compose-spec/compose-go#669 , @ndeloof check please

[ervin-pactum]

Bump, is there any problem to reproduce, or any other reason why this is still status/0-triage ?

[mTsBucy1]

Bump, I am running into the same problem. When moving the secret definition one to one into the main file, the file is valid, but in the included file it is not.
My composefile also validates properly if the environment variable in the secret does not exist

Also the PR seems only mildly related.

[aleksandertsg]

Bump, It makes me downgrade Docker too often these days and creates a feeling that I am using a third party plugin of Docker not a Docker core product. Three minor versions with no fix nor addressing of problem 😞.

Open to provide more examples, but I feel that upper post is explaining extremely well.

[idsulik]

The fix is here compose-spec/compose-go#669 , waiting for review/approve from @ndeloof

[mTsBucy1]

The fix is here compose-spec/compose-go#669 , waiting for review/approve from @ndeloof

This is a regression, therefore to my knowledge a good fix would find the commit where the bug started occurring and revert that change.

[ndeloof]

@mTsBucy1 regression was introduced by a commit which is a fix for another issue. Considering a "revert on bug" strategy would prevent we move forward with Compose codebase, and is a pretty naive approach to software engineering imho

[idsulik]

@ndeloof what do you think about this fix compose-spec/compose-go#669 ? I can try to fix it using other ways if you don't like this one

[ndeloof]

@idsulik sounds good to me, I don't think we have a better option with current compose-go architecture.