Use "local" secret paths based on the secretID

This prevents targets with the same basename from colliding.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>

container/container.go

@@ -954,8 +954,9 @@ func (container *Container) SecretMountPath() string {
 	return filepath.Join(container.Root, "secrets")
 }
 
-func (container *Container) getLocalSecretPath(r *swarmtypes.SecretReference) string {
-	return filepath.Join(container.SecretMountPath(), filepath.Base(r.File.Name))
+// SecretFilePath returns the path to the location of a secret on the host.
+func (container *Container) SecretFilePath(secretRef swarmtypes.SecretReference) string {
+	return filepath.Join(container.SecretMountPath(), secretRef.SecretID)
 }
 
 func getSecretTargetPath(r *swarmtypes.SecretReference) string {

container/container_unix.go

@@ -248,15 +248,15 @@ func (container *Container) IpcMounts() []Mount {
 	return mounts
 }
 
-// SecretMounts returns the mount for the secret path
+// SecretMounts returns the mounts for the secret path.
 func (container *Container) SecretMounts() []Mount {
 	var mounts []Mount
 	for _, r := range container.SecretReferences {
-		// secrets are created in the SecretMountPath at a single level
-		// i.e. /var/run/secrets/foo
-		srcPath := container.getLocalSecretPath(r)
+		if r.File == nil {
+			continue
+		}
 		mounts = append(mounts, Mount{
-			Source:      srcPath,
+			Source:      container.SecretFilePath(*r),
 			Destination: getSecretTargetPath(r),
 			Writable:    false,
 		})

container/container_windows.go

@@ -47,7 +47,7 @@ func (container *Container) IpcMounts() []Mount {
 	return nil
 }
 
-// SecretMounts returns the mount for the secret path
+// SecretMounts returns the mounts for the secret path
 func (container *Container) SecretMounts() []Mount {
 	return nil
 }

daemon/container_operations_unix.go

@@ -177,9 +177,9 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return fmt.Errorf("secret target type is not a file target")
 		}
 
-		// secrets are created in the SecretMountPath at a single level
-		// i.e. /var/run/secrets/foo
-		fPath := filepath.Join(localMountPath, filepath.Base(s.File.Name))
+		// secrets are created in the SecretMountPath on the host, at a
+		// single level
+		fPath := c.SecretFilePath(*s)
 		if err := idtools.MkdirAllAs(filepath.Dir(fPath), 0700, rootUID, rootGID); err != nil {
 			return errors.Wrap(err, "error creating secret mount path")
 		}