Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using docker build with secrets backed by a Podman controlled docker.sock fails on macOS #14615

Closed
jimeh opened this issue Jun 16, 2022 · 6 comments
Closed

Using docker build with secrets backed by a Podman controlled docker.sock fails on macOS #14615

jimeh opened this issue Jun 16, 2022 · 6 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. macos MacOS (OSX) related remote Problem is in podman-remote stale-issue

Comments

@jimeh
Copy link

jimeh commented Jun 16, 2022

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

docker build commands which uses secrets fail, while the equivalent podman build command works just fine.

I'm on macOS and using the podman-mac-helper to have Podman take over the default Docker socket, allowing the normal docker CLI to be used with Podman.

Steps to reproduce the issue:

  1. Create a Podman machine:2. 
    podman machine init --rootful
  2. Activate mac helper to make docker CLI work with Podman: 
    sudo podman-mac-helper install
  3. Start Podman machine: 
    podman machine start
  4. Create these two files:
    • Dockerfile: 
      FROM alpine

RUN --mount=type=secret,id=my_secret \
    echo "/run/secrets/my_secret: $(cat /run/secrets/my_secret)"

RUN --mount=type=secret,id=my_secret,dst=/root/.my_secret \
    echo "/root/.my_secret: $(cat /root/.my_secret)"
    • my-secret.txt: 
      super-secret-thing-goes-here
  5. Run podman build --secret "id=my_secret,src=$(pwd)/my-secret.txt" . which yields a successful build: 
    STEP 1/3: FROM alpine
STEP 2/3: RUN --mount=type=secret,id=my_secret     echo "/run/secrets/my_secret: $(cat /run/secrets/my_secret)"
/run/secrets/my_secret: super-secret-thing-goes-here
--> 14020dbf20a
STEP 3/3: RUN --mount=type=secret,id=my_secret,dst=/root/.my_secret     echo "/root/.my_secret: $(cat /root/.my_secret)"
/root/.my_secret: super-secret-thing-goes-here
COMMIT
--> 13bd4c2aaaa
13bd4c2aaaa45c7d7938af3c55eb5f91df1728005f947fc6f2eed5f6a70d626d
  6. Run docker build --secret "id=my_secret,src=$(pwd)/my-secret.txt" . which yields failures to read the mounted secret files: 
    Sending build context to Docker daemon   7.68kB
STEP 1/3: FROM alpine
STEP 2/3: RUN --mount=type=secret,id=my_secret     echo "/run/secrets/my_secret: $(cat /run/secrets/my_secret)"
cat: can't open '/run/secrets/my_secret': No such file or directory
/run/secrets/my_secret:
--> 9b63f2490ec
STEP 3/3: RUN --mount=type=secret,id=my_secret,dst=/root/.my_secret     echo "/root/.my_secret: $(cat /root/.my_secret)"
cat: can't open '/root/.my_secret': No such file or directory
/root/.my_secret:
COMMIT
--> 69acc7aad8e
69acc7aad8e852362b1742d7cbd0b4daa5f0aa82ea47d66bbe4610d36657baa7
Successfully built 69acc7aad8e8

Describe the results you received:

Mounted build secrets do not exist within the build container when using docker build, while using podman build it works fine.

Describe the results you expected:

Using docker build backed by a docker.sock controlled by Podman, I expected mounting build secrets to work.

Additional information you deem important (e.g. issue happens only occasionally):

I'm running macOS 12.4 (21F79), on a 2020 Intel-based MacBook Pro.

Output of podman version:

(I did just create a new podman machine a few minutes ago, I assume 4.1.1 is not available yet)

Client:       Podman Engine
Version:      4.1.1
API Version:  4.1.1
Go Version:   go1.18.3
Built:        Tue Jun 14 21:12:46 2022
OS/Arch:      darwin/amd64

Server:       Podman Engine
Version:      4.1.0
API Version:  4.1.0
Go Version:   go1.18
Built:        Fri May  6 17:15:54 2022
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.26.1
  cgroupControllers:
  - cpuset
  - CPU
  - io
  - memory
  - hugetlb
  - pids
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-2.fc36.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: '
  cpuUtilization:
    idlePercent: 86.02
    systemPercent: 7.24
    userPercent: 6.73
  cpus: 1
  distribution:
    distribution: fedora
    variant: coreos
    version: "36"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.17.12-300.fc36.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 1309577216
  memTotal: 2066825216
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.4.5-1.fc36.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.5
      commit: c381048530aa750495cf502ddb7181f2ded5b400
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
    version: |-
      slirp4netns version 1.2.0-beta.0
      commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 2m 50.91s
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 106825756672
  graphRootUsed: 2302570496
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.1.0
  Built: 1651853754
  BuiltTime: Fri May  6 17:15:54 2022
  GitCommit: ""
  GoVersion: go1.18
  Os: linux
  OsArch: linux/amd64
  Version: 4.1.0

Package info (e.g. output of rpm -q podman or apt list podman):

Output from brew info podman:

podman: stable 4.1.1 (bottled), HEAD
Tool for managing OCI containers and pods
https://podman.io/
/usr/local/Cellar/podman/HEAD-0b29561 (170 files, 44.4MB)
  Built from source on 2022-02-10 at 14:18:05
/usr/local/Cellar/podman/4.1.1 (174 files, 47.7MB) *
  Poured from bottle on 2022-06-16 at 02:20:15
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/podman.rb
License: Apache-2.0
==> Dependencies
Build: go, go-md2man
Required: qemu
==> Options
--HEAD
	Install HEAD version
==> Caveats
zsh completions have been installed to:
  /usr/local/share/zsh/site-functions

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

For this issue, I created a new Podman machine called foo to check if I could get Podman 4.1.1 in the machine, but have the same issues with the default podman-machine-default machine too.

podman machine init --rootful foo
podman machine start foo

podman machine inspect yields:

[
     {
          "ConfigPath": {
               "Path": "/Users/jimeh/.config/containers/podman/machine/qemu/foo.json"
          },
          "Created": "2022-06-16T09:55:52.523262+01:00",
          "Image": {
               "IgnitionFilePath": {
                    "Path": "/Users/jimeh/.config/containers/podman/machine/qemu/foo.ign"
               },
               "ImageStream": "testing",
               "ImagePath": {
                    "Path": "/Users/jimeh/.local/share/containers/podman/machine/qemu/foo_fedora-coreos-36.20220605.2.0-qemu.x86_64.qcow2"
               }
          },
          "LastUp": "0001-01-01T00:00:00Z",
          "Name": "foo",
          "Resources": {
               "CPUs": 1,
               "DiskSize": 100,
               "Memory": 2048
          },
          "SSHConfig": {
               "IdentityPath": "/Users/jimeh/.ssh/foo",
               "Port": 50249,
               "RemoteUsername": "core"
          },
          "State": ""
     }
]
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 16, 2022
@github-actions github-actions bot added macos MacOS (OSX) related remote Problem is in podman-remote labels Jun 16, 2022
@flouthoc
Copy link
Collaborator

flouthoc commented Jun 16, 2022
edited
Loading

Hi @jimeh, Thanks for creating the issue. It works with podman and not with docker CLI cause secrets parameter added in API is only recognized by podman and not by docker API which was added here #12414

Unfortunately docker does not provides any public API for passing secrets to /build , existing API does not accepts secrets parameter https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild .

I am not sure if there is any right solution to this unless docker decides to create an API for this and docker-cli starts using it.

@jimeh
Copy link
Author

jimeh commented Jun 16, 2022

@flouthoc Ah, interesting. I assume then that attempting to implement full docker CLI compatibility in Podman is difficult if the official CLI tool doesn't use public APIs for build secrets.

@flouthoc
Copy link
Collaborator

official CLI tool doesn't use public APIs for build secrets.

@jimeh Yeah I am not sure what should be done here but looks like this will be on hold till then.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@flouthoc
Copy link
Collaborator

official CLI tool doesn't use public APIs for build secrets.

@jimeh Yeah I am not sure what should be done here but looks like this will be on hold till then.

This is something which cannot be implemented till docker releases public API, closing this as WONTFIX but please feel free to continue discussion below and we can reopen this if in case docker creates public API for this.

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 18, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. macos MacOS (OSX) related remote Problem is in podman-remote stale-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jimeh @rhatdan @flouthoc