New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman secrets --driver=pass hardware token #13539
Comments
@ashley-cui PTAL |
A friendly reminder that this issue had no activity for 30 days. |
currently, our gpg function which uses exec.Command to `gpg --encrypt` and `gpg --decrypt` does not allow for stdin or out to be anything but a buffer stream directly used in the program this causes `gpg` to error out since it cannot ask for validation on locked keys. Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt resolves containers/podman#13539 Signed-off-by: cdoern <cdoern@redhat.com>
currently, our gpg function which uses exec.Command to `gpg --encrypt` and `gpg --decrypt` does not allow for stdin or out to be anything but a buffer stream directly used in the program this causes `gpg` to error out since it cannot ask for validation on locked keys. Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt resolves containers/podman#13539 Signed-off-by: cdoern <cdoern@redhat.com>
currently, our gpg function which uses exec.Command to `gpg --encrypt` and `gpg --decrypt` does not allow for stdin or out to be anything but a buffer stream directly used in the program this causes `gpg` to error out since it cannot ask for validation on locked keys. Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt resolves containers/podman#13539 Signed-off-by: cdoern <cdoern@redhat.com>
currently, our gpg function which uses exec.Command to `gpg --encrypt` and `gpg --decrypt` does not allow for stdin or out to be anything but a buffer stream directly used in the program this causes `gpg` to error out since it cannot ask for validation on locked keys. Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt resolves containers/podman#13539 Signed-off-by: cdoern <cdoern@redhat.com>
currently, our gpg function which uses exec.Command to `gpg --encrypt` and `gpg --decrypt` does not allow for stdin or out to be anything but a buffer stream directly used in the program this causes `gpg` to error out since it cannot ask for validation on locked keys. Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt resolves containers/podman#13539 Signed-off-by: cdoern <cdoern@redhat.com>
currently, our gpg function which uses exec.Command to `gpg --encrypt` and `gpg --decrypt` does not allow for stdin or out to be anything but a buffer stream directly used in the program this causes `gpg` to error out since it cannot ask for validation on locked keys. Fix this by passing stdin to --decrypt as the "in" var and stdout as the "out" var to --encrypt resolves containers/podman#13539 Signed-off-by: cdoern <cdoern@redhat.com>
A friendly reminder that this issue had no activity for 30 days. |
@cdoern @ashley-cui Any movement on this? |
@rhatdan I have a PR open in c/common but the tests are near impossible. the fix works I know that so I might look for a way to merge with minimal new tests b/c the more I try to make a test the more I break other things... |
A friendly reminder that this issue had no activity for 30 days. |
Coming back to this during this week |
A friendly reminder that this issue had no activity for 30 days. |
@cdoern any update? |
Is there an update here? I unfortunately also have the problem. |
@ashley-cui PTAL |
I have a pr open for this but the issue is, it's not testable |
@k33pn3xtlvl Care to test @cdoern PR? @cdoern what is the PR? |
Has this issue gone stale? |
This is the commit @rhatdan cdoern/common@98cfad7 the issue is lack of testability. |
Did it get merged? Is there a PR? Just don't add a test and we can ask users like @lex-ibm to test it out. |
Count me in |
Underlying problem here is that when gpg is invoked by podman, it does not detect running gpg-agent (with socket in It is not clear to me why agent is not found - probably something to do with the context in which podman invokes gpg. A workaround is to put the following text in
After this gpg is able to find existing agent, and decryption works as expected. |
Is this an environement variable thing? Do we need to pass a Environment variable from the podman environment through to the GPG to allow it to find it. I believe by default we remove the environment when we exec GPG. |
I don't think so - GPG uses hardcoded socket paths, and according to here https://github.com/containers/common/blob/main/pkg/secrets/passdriver/passdriver.go#L162, podman passes through environment variables anyway. |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
secrets with --driver=pass uses new gpg-agent (systemd) causing hardware tokens like yubikey to not work (since they require user authentication)
Steps to reproduce the issue:
https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
Describe the results you received:
Error: a461f4dee15d5e915cc686ff2: no secret data with ID
Describe the results you expected:
test1
Additional information you deem important (e.g. issue happens only occasionally):
This fixes the issue:
Although I would not say this is a good solution.
strace shows podman trying to access
/run/user/0
probably in order to read/run/user/0/gnupg/S.gpg-agent
rather than${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent
of user 1000 so I suspect that this is a user namespace problem, but have not verified.Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes/No
Latest on ubuntu jammy, have not compiled 4.0.x
Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: