Add keyring package #619
Add keyring package #619
Conversation
|
@QiWang19 Looks like you are missing some vendors. |
|
https://github.com/zalando/go-keyring requires dbus which does not seem very portable. Imagine this running in a container. |
@rhatdan WDYT about the dbus requirement? I think we can use the zalando lib for OS X and Windows, but for Linux I would prefer using the syscalls directly to avoid a dbus dependency. We need only a very limited set of the entire keyrings functionality, so I'd go for writing a package here in containers/image. Also adding @mtrmac to share thoughts. |
|
Yes I am not interested in the dbus bindings, I would rather to it directly. |
|
More importantly, containers/podman#2167 asks for support of the kernel keyring (keyctl(2) etc.), which is completely different from the per-user userspace keyring (FreeDesktop secrets) supported by https://github.com/zalando/go-keyring ; it’s not just a matter of using/not using D-Bus, it’s a completely different store. As far as the implementation goes, it’s not obvious to me that this should be a hard-coded silently-used default like this; using the And then we would talk about whether to implement the helpers out-of-process using that protocol, or in-process by specially recognizing some keywords; both is plausible. |
|
still need this PR using https://github.com/zalando/go-keyring to support OS X and Windows? |
|
OS X and Windows don’t have keyctl(2), so containers/podman#2167 is fundamentally impossible for them. (The kernel keyring is fundamentally ephemeral, a reboot, or probably a log out, clears it; the keyrings supported by go-keyring are persistent and intended for ~single-sign-on (logging into the computer makes the credentials available). Sure, we can also have a conversation about which one of these is more valuable (and I personally lean towards ephemeral login state being too much hassle for not that much security), but if this PR is supposed to support the kernel keyring or something equivalent, and it just doesn’t.) |
We can defer that to another PR and focus just on Linux here. I think it would nice to also support the OS X keyring (and whatever Windows does) but that might be out of scope. @QiWang19, I suggest to first add the code to support the kernel keyring. There are go libraries in the wild that offer bindings for keyctl but I would prefer to have a dedicated (and minimal) package somewhere here in containers/image. Once that's in place, we can check the details how we can integrate this into the stack (see @mtrmac's comment #619 (comment)). |
|
yes, I think I can add a package to use kernel keyring first and then decide how to apply it. |
|
Grab files from https://github.com/jsipprell/keyctl to add session keyring. Is this kind of keyring that we should use? |
|
Yes I believe so. |
QiWang19
force-pushed
the
key
branch
5 times, most recently
from
b1d92db to
a5a3a64
Compare
|
I saw containers/image already supported the credHelpers configuration using API from image/pkg/docker/config/config.go Lines 42 to 46 in 2c0349c I don't want kernel keyring to be configured under credHelpers. Can I use the kernel keyring as a default choice, if credHelpers is not configured, then add username &password to kernel keyring, if an error occurs they will be added to the authfile?
|
|
I would prefer this to be primary and not rely on external helpers. |
I am, hypothetically, a bit worried that this “if an error occurs” state could cause the user to end up with two credential locations at the same time, and unclear rules about when data is recorded in which one and how to manage it — but that is hypothetical and strongly depends on the actual implementation; arguably kernel facilities should very rarely fail, and if they do, they should fail with a clear reason. |
|
@mtrmac PTAL |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
Very minimal initial impressions:
- I’d really much prefer vendoring the original keyctl* wrappers to maintaining a separate fork in our repo.
- The key name (“description”) should include an unambiguous indication that these are container credentials, to prevent accidental clashes with other software that could use the hostname as a key name for some other purpose.
|
|
@mtrmac - @vrothberg Asked her to copy the limited functions into this Repo rather then vendoring in the entire repo. (I believe) |
Yes, I asked to have a minimal package here. The required code for our purpose is small in size and complexity. Having it here allows for changing it to our needs if needed and removes the burden of creating new source packages for downstream packaging (mostly Debian). |
QiWang19
force-pushed
the
key
branch
3 times, most recently
from
5c8434b to
a838f90
Compare
|
@vrothberg 🙂 thanks for reviewing. Fixed the comments above. PTAL |
|
Apologies, @QiWang19. This one slipped through my emails! I will have another look tomorrow. |
vrothberg
left a comment
vrothberg
left a comment
There was a problem hiding this comment.
Only minor nits, comments and clean-ups. The tests need more coverage. Other than that, LGTM. Great work, @QiWang19!
@rhatdan PTAL as well. It can easily be tested with Podman (go mod edit -replace github.com/containers/image=github.com/QiWang19/image@key, make vendor, ...).
|
@rhatdan, one thing that still worries me a bit is that the keyrings are not yet namespaced. So they can leak into and from a container. Just tried that with Podman. |
|
@vrothberg Were you able to see the keyring from inside of podman, or was it blocked by SELinux and other security mechanisms? |
It's blocked by SELinux and SECCOMP, which I consider to be "good enough" for a general use but I am no security expert and leave the decision up to you :^) |
|
Well we already have this issue, so this just adds a little to the problem. Hopefully the patches to the kernel will finally get merged which will at least allow us to isolate Keyring via User Namespace in the future. |
QiWang19
force-pushed
the
key
branch
2 times, most recently
from
437d4e3 to
f91da40
Compare
pkg/docker/config/config.go
Outdated
|
|
||
| err := setAuthToKernelKeyring(registry, username, password) | ||
| if err == nil { | ||
| logrus.Debugf("credentials for (%s, %s) was stored in the kernel keyring\n", registry, username) |
|
@vrothberg PTAL |
| // Use of this source code is governed by a BSD-style | ||
| // license that can be found in the LICENSE file. | ||
|
|
||
| // +build linux |
Add package from https://github.com/jsipprell/keyctl to store authentication for podman login to kernel user keyring. close containers#2167 Signed-off-by: Qi Wang <[email protected]>
|
@vrothberg PTAL 🙂 |
vrothberg
left a comment
vrothberg
left a comment
There was a problem hiding this comment.
LGTM, thanks @QiWang19 👍
@rhatdan @TomSweeneyRedHat @mtrmac PTAL, let's get this in.
|
LGTM |
4 participants
Add package from https://github.com/jsipprell/keyctl to store authentication for
podman loginto kernel user keyring.close #2167