Open csschwe opened 1 year ago
A friendly reminder that this issue had no activity for 30 days.
@flouthoc PTAL
A friendly reminder that this issue had no activity for 30 days.
This issue also happens on Windows.
Using the containerfile from the comment above
FROM alpine:3.17
RUN --mount=type=secret,id=my_secret ls -l /run/secrets/my_secret
C:\Users\pigeon\Desktop>set MY_SECRET="hello"
C:\Users\pigeon\Desktop>podman build --no-cache --secret id=my_secret,env=MY_SECRET .
STEP 1/2: FROM alpine:3.17
STEP 2/2: RUN --mount=type=secret,id=my_secret ls -l /run/secrets/my_secret
-r-------- 1 root root 0 Apr 12 07:18 /run/secrets/my_secret
COMMIT
--> Pushing cache []:f93e27daaf6f6ca142d2f2d32c9741a4f0839e802999ad2d446f9243f9b371f4
--> b0a20fd4166
b0a20fd416680777d16aa1ba3ff4b07bf04c4b7a40d6352e91f9b5690e94ad67
$ podman info
host:
arch: amd64
buildahVersion: 1.29.0
cgroupControllers:
- memory
- pids
cgroupManager: cgroupfs
cgroupVersion: v2
conmon:
package: conmon-2.1.5-1.fc36.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.5, commit: '
cpuUtilization:
idlePercent: 99.55
systemPercent: 0.3
userPercent: 0.14
cpus: 24
distribution:
distribution: fedora
variant: container
version: "36"
eventLogger: journald
hostname: DESKTOP-FSV9JEV
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.15.90.1-microsoft-standard-WSL2
linkmode: dynamic
logDriver: journald
memFree: 15860727808
memTotal: 16602615808
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.1-1.fc36.x86_64
path: /usr/bin/crun
version: |-
crun version 1.8.1
commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
version: |-
slirp4netns version 1.2.0-beta.0
commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.3
swapFree: 4294967296
swapTotal: 4294967296
uptime: 0h 1m 46.00s
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /home/user/.config/containers/storage.conf
containerStore:
number: 13
paused: 0
running: 0
stopped: 13
graphDriverName: overlay
graphRootAllocated: 1081101176832
graphRootUsed: 14969270272
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 70
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/user/.local/share/containers/storage/volumes
version:
APIVersion: 4.4.1
Built: 1676629882
BuiltTime: Fri Feb 17 11:31:22 2023
GitCommit: ""
GoVersion: go1.18.10
Os: linux
OsArch: linux/amd64
Version: 4.4.1
@flouthoc Reminder?
This one is tricky , I think env variable are passed on to the machine only during init
I am not sure if its possible to pass ENV variables again to the machine once it has already started.
Should we process the value on the client side? Basically change
--secret id=my_secret,env=MY_SECRET to --secret id=my_secret,env=MY_SECRET=$MY_SECRET Before sending it across?
@ashley-cui @flouthoc Thoughts
We could send os.environ across to the build side to be used by the processor? Does this work with Docker?
We could send os.environ across to the build side to be used by the processor? Does this work with Docker?
@rhatdan I like this idea this can work, we can create a new hidden field to transfer current ENV
from client to server, and build can use this field for getting ENV
details and use it while populating secret.
Any recommendations for a workaround? I am hitting this issue as well.
@flouthoc is not active maintainer of podman anymore, so we are a little short staffed right now. Interested in working on a PR?
We could send os.environ across to the build side to be used by the processor? Does this work with Docker?
@rhatdan I like this idea this can work, we can create a new hidden field to transfer current
ENV
from client to server, and build can use this field for gettingENV
details and use it while populating secret.
I think this can still be done, is someone interested in taking this issue ? If not I'd like to take a stab at it in some time. Thanks.
@aaronmcohen I can implement this in few weeks as per my availability, but If you want I can help you implement it as well.
Any updates on this issue, or pointers to where in the podman source code would be a good place to start looking to make changes to support this?
@nightlark interested in working on it?
Sure, if I can figure out where in podman (and buildah?) changes need to be made.
Any progress on the issue? I've tried exporting the variable both locally (on mac) and in podman VM (in both .bashrc and _.bashprofile files).
I am not sure if this is the same issue, but if someone wants workaround, you can check this: https://github.com/containers/podman/issues/23815#issuecomment-2343865319
Issue Description
Trying to pass secrets into podman build on MacOS does not function as expected
Steps to reproduce the issue
Steps to reproduce the issue
Describe the results you received
The secret file during the podman build is empty
Describe the results you expected
The secret file should contain the work hello
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
MacOS
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting