Secrets, .balena and balena engine

I am trying to migrate from docker ce to balena engine which seems non-trivial.

I have tried to replace docker binaries by used for balena engine binaries using symlinks. Seems non-trivial to perform drop-in replace of docker and non-trivial to update docker systemd files with the balena engine binaries. Unable to get a working balena daemon.

I am migrating in order to use the balena secrets feature.

Anyone managed to get secrets working and performing a valid drop-in replacement of docker ce?

Hi @aliasbits,

Would you mind providing a little more information on your platform & how you installed balenaEngine? Did you use the install script outlined here:, or do something else entirely?

Hi @xginn8

I have tried both the installation script and installation manual to ~/bin including PATH update to ensure balena-engine symbolic links are loaded before docker ce. From this point on I have tried updating docker.server, docker.sock and containerd.service in order to use the balena engine binaries. From this experiment I have seen EOF error and shim.lock error while building. I have also tried symbolic links matching docker ce without any luck.

I have not found any balena engine service files to replace or coexist with docker ce.

I am working on Ubuntu 16.04 and 18.04.

hey @aliasbits,

I am not sure what you are referring to with

From this experiment I have seen EOF error and shim.lock error while building

Did you report any issues elsewhere that you could link here?

We have systemd service files for balenaEngine here if you want to compare yours…

If you’re using the lastest release from github you might experience this issue which you can fix by adding GODEBUG=netdns=go to the environment in your unit file.

I have not filled anything yet, since my experiments does not seem to be valid errors. More like invalid setup for now.

I will try the service files you linked

Latest status. The following is needed to get the service files working:

  • copy balena-engine.[sock, service] to /etc/systemd/system
  • addgroup --system balena-engine
  • replace /usr/bin with /usr/local/bin in balena-engine.service, this is needed as the installation script installs to /usr/local/bin
  • systemctl daemon-reload
  • systemctl enable balena-engine, if needed after reboot
  • systemctl start balena-engine

Use root user to build images or add balena-engine group to non-root build user:

  • usermod -aG balena-engine [username]
  • log out and log in as [username]
  • type ‘id’ in console to see the balena-engine group in list

Hey @aliasbits thank you so much for reporting back and providing this for others :slight_smile:
The steps look spot-on, the only thing is that I think you can drop the last systemctl start balena-engine as the daemon as it is now configured as a socket activated service and using the cli to try and talk to /var/run/balena-engine.sock will automatically start it

I managed to use secrets inside the image as described in balena secrets

Note that if you use nested images, then changes may be needed in the Dockerfile using a previous build images as balena cli adds a postfix matching the service name in the docker-compose file.

Balena cli 11.9.3 --tag argument seems to be ignored, see