podman: secret is not mounted during build (macos)

Description

A secret mounted during build is not available

Steps to reproduce the issue:

> podman machine init
Downloading VM image: fedora-coreos-35.20211029.2.0-qemu.x86_64.qcow2.xz: done  
Extracting compressed file
> podman machine start
INFO[0000] waiting for clients...                       
INFO[0000] listening tcp://0.0.0.0:7777                 
INFO[0000] new connection from  to /var/folders/yj/8b_76b75703dp2sz0rvc22qc0000gp/T/podman/qemu_podman-machine-default.sock 
Waiting for VM ...
Machine "podman-machine-default" started successfully
> ./test.sh
+ SECRET=a_secret.txt
+ echo 'Hallo Welt'
+ ls -l a_secret.txt
-rw-r--r--  1 js  staff  11 Nov 16 16:24 a_secret.txt
+ podman build --no-cache -t podmantest:dev --secret id=mysecret,src=a_secret.txt .
STEP 1/2: FROM alpine
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:97518928ae5f3d52d4164b314a7e73654eb686ecd8aafa0b79acd980773a740d
Copying blob sha256:97518928ae5f3d52d4164b314a7e73654eb686ecd8aafa0b79acd980773a740d
Copying config sha256:0a97eee8041e2b6c0e65abb2700b0705d0da5525ca69060b9e0bde8a3d17afdb
Writing manifest to image destination
Storing signatures
STEP 2/2: RUN --mount=type=secret,id=mysecret ls -la /run/secrets
total 0
drwxr-xr-x    2 root     root             6 Nov 16 15:24 .
drwxr-xr-x    1 root     root            42 Nov 16 15:24 ..
COMMIT podmantest:dev
--> 07ab1104336
Successfully tagged localhost/podmantest:dev
07ab11043366bf924b9ddb0c1817ac7a4900d0633eaa1f4754b0ac29211994dc
+ rm a_secret.txt

> cat Dockerfile
FROM alpine
RUN --mount=type=secret,id=mysecret ls -la /run/secrets

> cat test.sh
set -x
SECRET="a_secret.txt"
echo "Hallo Welt" > ${SECRET}
ls -l ${SECRET}
podman build --no-cache -t podmantest:dev --secret id=mysecret,src=${SECRET} .
rm ${SECRET}

Describe the results you received:

/run/secrets/ folder is empty

Describe the results you expected:

a /run/secrets/mysecret file.

Output of rpm -q buildah or apt list buildah:

n/a because of mac.

Output of buildah version:

n/a because of mac.

Output of podman version if reporting a podman build issue:

> podman version
Client:
Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.17.2
Built:        Fri Nov 12 17:08:25 2021
OS/Arch:      darwin/amd64

Server:
Version:      3.4.1
API Version:  3.4.1
Go Version:   go1.16.8
Built:        Wed Oct 20 16:31:56 2021
OS/Arch:      linux/amd64

Output of cat /etc/*release:

n/a runs inside podman machine. see log above for image used.

Output of uname -a:

> uname -a
Darwin con-135.local 21.1.0 Darwin Kernel Version 21.1.0: Wed Oct 13 17:33:23 PDT 2021; root:xnu-8019.41.5~1/RELEASE_X86_64 x86_64

Output of cat /etc/containers/storage.conf:

n/a

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 16 (6 by maintainers)

Most upvoted comments

Above issue will be closed by the stated PR. We are going for copying secrets to tar as it will solve use-case for both remote and mac setup.

+1
flouthoc on Nov 26, 2021

I revisited this.

@StephenWithPH it should work for secret files on remote after this https://github.com/containers/podman/pull/12414

Yes I think the secret file needs to be added to the context directory that gets copied into the remote end. The way podman --remote build works is that it tar’s up the contents of context directory, along with any Containerfile or Dockerfiles specified with -f option. We need to handle secrets file in the same way.

@rhatdan for second one i am still a bit skeptical for copying secret over to contextdir since argument accepts absolute path on host and I think since its a secret file so we are better of binding file directly from host -> remote as I am still unsure that Docker is copying it instead of doing a bind mount to VM.

I think copying secret has a few cons. One of them which i can think of now even if host wants to forcefully remove the secret from host a copy of token would still persists in VM which sounds quite unsafe for a secret operation.

+1
flouthoc on Nov 25, 2021

Yes I think the secret file needs to be added to the context directory that gets copied into the remote end. The way podman --remote build works is that it tar’s up the contents of context directory, along with any Containerfile or Dockerfiles specified with -f option. We need to handle secrets file in the same way.

+1
rhatdan on Nov 22, 2021

I’m experiencing the same behavior: podman build doesn’t appear to mount the secret as expected per the docs.

However, podman run does work as expected.

This gives me hope that this is a small problem rather than a grand one!

system info

$ podman version

Client:
Version:      3.4.0
API Version:  3.4.0
Go Version:   go1.16.8
Built:        Mon Dec 31 16:00:00 1979
OS/Arch:      darwin/amd64

Server:
Version:      3.4.1
API Version:  3.4.1
Go Version:   go1.16.8
Built:        Wed Oct 20 07:31:56 2021
OS/Arch:      linux/amd64

podman run

$ podman secret ls

ID                         NAME        DRIVER      CREATED      UPDATED
66207748524df0659abc9fa5f  mysecret    file        3 hours ago  3 hours ago

$ podman run --secret mysecret --rm -it docker.io/library/debian:bullseye-20211115 ls -l /run/secrets/ 

total 4
-r--r--r--. 1 root root 10 Nov 18 21:43 mysecret
+1
StephenWithPH on Nov 19, 2021
Read more comments on GitHub
← podman: sdnotify play kube policies: podman container wait, hangs
podman: Segfault when running from bazel →