rootless podman supports credHelper

[QiWang19]

c/image and podman already support "credHelpers", but only works for config in /run/user/0/auth.json and sudo podman login

with config in /run/user/1000/auth.json and podman login got error

{
        "credHelpers": {
                "docker.io": "secretservice"
        }
}

$ podman login docker.io
Error: error reading auth file: error getting credentials - err: exit status 1, out: `Exhausted all available authentication mechanisms (tried: EXTERNAL) (available: EXTERNAL)`

[sdouche]

Hi,
The lack of non-root use is the blocking point to switch to Podman from Docker on some use-cases. Highly interested in this feature.
Do you know a workaround to bypass this restriction?

[mtrmac]

I can’t see why this should not work in principle, c/image does nothing interesting about privileges/credentials.

That bug is almost certainly reported by the secretservice helper itself, and needs to be diagnosed within it. (As a wild guess, it needs some local secrets that are available to root but not UID=1000?)

[github-actions]

This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days.

[TomSweeneyRedHat]

Going to keep this one alive.

[sdouche]

Hi:). Do you think this issue will be included in the short-term roadmap? To know if should switch back on Docker.

[vrothberg]

@QiWang19, do you have cycles to look into it?

[rhatdan]

@sdouche do you have a specific credhelper you are looking for?

[QiWang19]

@QiWang19, do you have cycles to look into it?

yes, I want to look into this

[sdouche]

@sdouche do you have a specific credhelper you are looking for?

Hi @rhatdan. For now, to retrieve containers from AWS ECR:

{
  "credHelpers": {
    "xxx.dkr.ecr.eu-west-1.amazonaws.com": "ecr-login"
  }
}

Does that answer your question?

[rhatdan]

Yes, that is exactly what I was looking for.

[sdouche]

I forgot, feel free to ping me for testing :). Thanks for your work.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@QiWang19 Can you look into this?

[rhatdan]

@QiWang19 Working on this one?

[rhatdan]

@QiWang19 What is the status on this one?

[QiWang19]

@giuseppe verified this is an issue with secret-tools using d-bus hardcodes the euid() inside the EXTERNAL request itself. I think he has a patch for fixing this.

[giuseppe]

Merge Request here: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1403

[QiWang19]

Thanks. Should this issue be closed now or should wait for the fix to be included in some release? For now the rootless podman with credential helper configuration still can't work.

Merge Request here: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1403

[rhatdan]

Keep it open. If this gets merged we are going to have to ask for a back port to RHEL8 as well.

[giuseppe]

I got some comments on the merge request but I am not able at the moment to take care of them.

@alexlarsson do you know who could help us to move the gnome MR forward?

[alexlarsson]

@giuseppe Seems like simon is looking at it? He is the upstream dbus maintainer, and also often involved in gnome stuff.

[rhatdan]

@giuseppe @alexlarsson @QiWang19 Any update on this? Has dbus been fixed?

[alexlarsson]

I'll ping some people about it

[rhatdan]

@QiWang19 What should happen with this one?

[MikeKroell]

We also have an interest in this. We use ECR with HPC, and want to use rootless podman for security. Though this is a show-stopper for us.

[tjanez]

I have it working on my system but I guess there are no complete instructions for using docker-credentials-pass with Podman (yet).

Let me write them here.

Guide on using docker-credentials-pass with Podman

Install docker-credential-pass docker credential helper

Download the latest release from https://github.com/docker/docker-credential-helpers/releases.

Make sure docker-credentials-pass binary is in your PATH.

For example, symlink the binary to some directory in your path (e.g. ~/.local/bin):

ln -s <path-to-docker-credentials-helper-executable> ~/.local/bin/docker-credential-pass

Initialize docker-credentials-pass

Run:

pass init -p docker-credential-helpers <GPG-key-id>

For example:

pass init -p docker-credential-helpers myname@mydomain.com

If everything was successful, you should see output similar to:

mkdir: created directory '/home/myname/.password-store/docker-credential-helpers'
Password store initialized for myname@mydomain.com (docker-credential-helpers)
[master 1faa999] Set GPG id to myname@mydomain.com (docker-credential-helpers).
 1 file changed, 1 insertion(+)
 create mode 100644 docker-credential-helpers/.gpg-id

Add credentials for a registry

Add the following to ~/.config/containers/auth.json (create the file if necessary) (e.g. for the docker.io registry):

{
    "credHelpers": {
        "docker.io": "pass"
    }
}

NOTE: Podman currently only implements support for the credHelpers config field. The global credsStore field is not yet supported. See #4123 (comment) for more details.

Add credentials for the registry (e.g. docker.io) to pass by running:

docker-credential-pass store

Enter your registry credentials in the following format:

{"ServerURL":"docker.io","Username":"myname","Secret":"<password>"}

And press Ctrl+D after you've finished.

NOTE: If your password contains a backslash (\) character, you need to escape it with another backslash, i.e. \\.

The docker-credentials-pass helper will store your registry credentials as docker-credential-helpers/<encoded-registry-URL>/<registry-username>, e.g. docker-credential-helpers/ZG9ja2VyLmlv/myname.

SECURITY WARNING: Adding credentials via podman login doesn't work at the moment. It will store your registry credentials unencrypted in ~/$XDG_RUNTIME_DIR/containers/auth.json file!

List stored credentials (without passwords)

Run:

docker-credential-pass list

If should return:

{"docker.io":"myname"}

Configure GPG

To tell GPG to ask the user for his YubiKey's PIN to decrypt the credentials stored via pass, add the following to your ~/.bashrc:

export GPG_TTY=$(tty)

For more details, see: #4123 (comment).

[mtrmac]

SECURITY WARNING: Adding credentials via podman login doesn't work at the moment. It will store your registry credentials unencrypted in ~/$XDG_RUNTIME_DIR/containers/auth.json file!

Yeah, that’s one of the downsides of using an ephemeral (swap-only) credential file as the default: it can’t reasonably contain a credential helper configuration because it is erased on every reboot. (It shouldn’t be much of a risk, because it is supposed to be only stored in RAM and on the swap; assuming encrypted swap, both is protected using exactly the same kinds of credentials necessary to attack a credential helper process running under the same UID — but that depends on details of your threat model and mitigations, if any.)

An alternative to this is to configure the credential helper in registries.conf(.d) ’s credential-helpers option; that allows changing the global default, or per-user-default, to a helper instead of a config file, in a persistent way. (Full disclosure: I didn’t test this now to verify it works as expected, I’m only pointing out the existence of the option.)

[tjanez]

SECURITY WARNING: Adding credentials via podman login doesn't work at the moment. It will store your registry credentials unencrypted in ~/$XDG_RUNTIME_DIR/containers/auth.json file!

(It shouldn’t be much of a risk, because it is supposed to be only stored in RAM and on the swap; assuming encrypted swap, both is protected using exactly the same kinds of credentials necessary to attack a credential helper process running under the same UID — but that depends on details of your threat model and mitigations, if any.)

Yeah, that is true.

Hopefully, using a credential helper like pass in combination with a smartcard-backed GPG key (e.g. YubiKey), one would need to physically connect the smartcard to the system and unlock it via a PIN and the credential helper would stop working after the smartcard is disconnected, so the secrets would be "exposed" to processes running under the same UID for less time.

An alternative to this is to configure the credential helper in registries.conf(.d) ’s credential-helpers option; that allows changing the global default, or per-user-default, to a helper instead of a config file, in a persistent way. (Full disclosure: I didn’t test this now to verify it works as expected, I’m only pointing out the existence of the option.)

Thanks for mentioning this, I see this is quite a new thing: containers/image#1193.

[rhatdan]

This screams out for a Blog to be written. Podman and Credential helpers.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@lsm5 @mtrmac @vrothberg PTAL

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@vrothberg @mtrmac where are we on this?

[vrothberg]

I've no idea to be honest. We're in bug-scrubbing mode for months.

[mtrmac]

No change for a long time: We have the feature in registries.conf credential-helpers, but we don’t have the compatibility with the Docker credsStore field.

The default of storing auth.json on /tmpfs , and only updating that file, interacts pretty badly with a global credsStore field in auth.json. It’s easy enough to write code that reads that field but the UX is somewhere between bad and dangerously insecure. (To be fair, that similarly applies to the credHelpers field.)

OTOH there are some reports that suggest that supporting the credsStore field is fairly important for interoperability, e.g. recent (but undiagnosed!) containers/skopeo#1534 .

It’s not immediately obvious to me what’s the best thing to do here, especially WRT the risk of the user configuring a “hardened” credential helper in docker/config.json and that being ignored when a some command creates auth.json later. There might well be a nice clean solution — or it’s equally quite possible that pointing users at registries.conf is the best I can do. I have no idea.

[rhatdan]

I think we should require registries.conf for this or registries.conf.d/file.

[alexisph]

If anyone is looking to use docker-credential-pass with gopass and podman, please see my comment here

[github-actions]

A friendly reminder that this issue had no activity for 30 days.