search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.83k stars 2.42k forks source link

Environment variables from secrets add an extra CR (\n) to the value #21257

Closed Danielside closed 10 months ago

Danielside commented 10 months ago

Issue Description

My goal is to deploy a laravel application in a ubuntu 22.04 server using Quadlet and images from my own registry, so I'd need a way to pass sensitive information to the containers without storing it in the images. One would expect that podman secrets would be the sensible choice.

My problem is that, either with systemd/quadlet units or with a simple podman run, the environment variable within the container appears with an extra carriage return, rendering them unusable.

Steps to reproduce the issue

Steps to reproduce the issue

  1. I have a redis image (built from debian 12) downloaded from my registry: git.cnmc.es:5050/liquid/liquid/nginx-liquid:20240109. I start a session with the user for the rootless containers using machinectl shell liquid@
  2. Let's create a unit file to run this container, stored in ~/.config/containers/systemd/test.container
[Unit]
Description=test container
After=local-fs.target
[Container]
Image=git.cnmc.es:5050/liquid/liquid/redis-liquid:20240109
ContainerName=test
Secret=test-secret,type=env,target=TEST_SECRET
[Install]
WantedBy=multi-user.target default.target
  1. echo "SECRET_VAL" | podman secret create test-secret -
  2. systemctl --user daemon-reload
  3. systemctl --user start test (no errors, container running, redis logs are correct)
  4. 
liquid@madliquiddesapod:~$ systemctl --user start test
liquid@madliquiddesapod:~$ podman ps
CONTAINER ID  IMAGE                                                 COMMAND     CREATED        STATUS        PORTS       NAMES
9d1ff861e198  git.cnmc.es:5050/liquid/liquid/redis-liquid:20240109  bash        2 seconds ago  Up 3 seconds              test
liquid@madliquiddesapod:~$ podman exec test printenv
container=podman
DEBIAN_FRONTEND=noninteractive
LC_ALL=es_ES.UTF-8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TEST_SECRET=SECRET_VAL

HOME=/root

Here you can see the extra CR after the value SECRET_VAL

The result is exactly the same if a run a new container based off the same image but with podman run (without using Systemd/Quadlet)

liquid@madliquiddesapod:~$ podman run -d --secret="test-secret,type=env,target=TEST_SECRET" git.cnmc.es:5050/liquid/liquid/redis-liquid:20240109 a6aa90b56587cb7884ee9963770ba794e23abb65cf2c25c6c5c5ed05bc80aed5 liquid@madliquiddesapod:~$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9d1ff861e198 git.cnmc.es:5050/liquid/liquid/redis-liquid:20240109 bash 2 minutes ago Up 2 minutes test a6aa90b56587 git.cnmc.es:5050/liquid/liquid/redis-liquid:20240109 bash 2 seconds ago Up 2 seconds funny_lichterman liquid@madliquiddesapod:~$ podman exec funny_lichterman printenv PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=podman DEBIAN_FRONTEND=noninteractive LC_ALL=es_ES.UTF-8 TEST_SECRET=SECRET_VAL

HOME=/root


### Describe the results you received

Incorrect environment values in the container with an extra CR character

### Describe the results you expected

To obtain exactly the same value that I passed during secret creation, without trailing characters.

### podman info output

```yaml
host:                                                                                                                                                       
  arch: amd64                                                                                                                                               
  buildahVersion: 1.33.2-dev                                                                                                                                
  cgroupControllers:                                                                                                                                        
  - memory                                                                                                                                                  
  - pids                                                                                                                                                    
  cgroupManager: systemd                                                                                                                                    
  cgroupVersion: v2                                                                                                                                         
  conmon:                                                                                                                                                   
    package: Unknown                                                                                                                                        
    path: /usr/local/libexec/podman/conmon                                                                                                                  
    version: 'conmon version 2.1.10, commit: 2dcd736e46ded79a53339462bc251694b150f870'                                                                      
  cpuUtilization:
    idlePercent: 99.95
    systemPercent: 0.02
    userPercent: 0.03
  cpus: 8
  databaseBackend: sqlite
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  freeLocks: 2045
  hostname: madliquiddesapod
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1004
      size: 1
    - container_id: 1
      host_id: 1345184
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1019
      size: 1
    - container_id: 1
      host_id: 1345184
      size: 65536
  kernel: 5.15.0-91-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 3017334784
  memTotal: 8286326784
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: Unknown
    path: /usr/local/lib/podman/netavark
    version: netavark 1.10.0-dev
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/local/bin/crun
    version: |-
      crun version 1.12.0.0.0.36-1ac6
      commit: 1ac62c7a97be42a7c6e2aff9ce0f5402af422cf2
      rundir: /run/user/1019/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: false
    path: /run/user/1019/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROO
T
    rootless: true
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/local/lib/podman/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 4065325056
  swapTotal: 4065325056
  uptime: 97h 6m 30.00s (Approximately 4.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/liquid/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 2
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/liquid/.local/share/containers/storage
  graphRootAllocated: 61102800896
  graphRootUsed: 21284474880
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/user/1019/containers
  transientStore: false
  volumePath: /home/liquid/.local/share/containers/storage/volumes
version:
  APIVersion: 5.0.0-dev
  Built: 1703593999
  BuiltTime: Tue Dec 26 13:33:19 2023
  GitCommit: 7dc7cbfd9b0440ddc86e210a2272fdaccd6376bb
  GoVersion: go1.21.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.0-dev

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

This is a VMWare virtual machine provided by my company. The base OS is Ubuntu 22.04, in which I have a very old version of podman so this installation is entirely from source. Except from catatonit, there is no podman component coming from the repos, all built from source or installed: go, netavark, slirp4netns, conmon, crun.

Additional information

This happens every time. And I can even reproduce it in Debian12/VirtualBox, with podman installed from the repos. Using the same redis image. Podman in debian 12 is 4.3.1

ygalblum commented 10 months ago

The issue is with the way you created the secret:

echo "SECRET_VAL" | podman secret create test-secret -

By default, echo adds a trailing newline. To avoid it you need to add -n:

echo -n "SECRET_VAL" | podman secret create test-secret -