Open thaJeztah opened 2 years ago
#37 57.52 vendor/github.com/jsipprell/keyctl/sys_linux.go:97:35: undefined: syscall_keyctl
Might need to install dev keyctl cross pkg with xx
Ah, yes; let me have a look later. Thought I'd give this one a quick go to see if it all worked, but definitely need to have a better look 😅
Patch coverage has no change and project coverage change: +3.89
:tada:
Comparison is base (
9ff5b61
) 55.55% compared to head (5071773
) 59.45%.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
Unrelated:
Some warnings we can probably fix:
#0 0.099 gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
#19 0.101 gpg-connect-agent: waiting for the agent to come up ... (5s)
#19 0.103 gpg-connect-agent: connection to agent established
#19 0.104 OK
#19 0.106 gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
#19 0.107 gpg: keybox '/root/.gnupg/pubring.kbx' created
#19 0.109 gpg: /root/.gnupg/trustdb.gpg: trustdb created
#19 0.110 gpg: key 0x7D851EB72D73BDA0: public key "Joe Tester <joe@foo.bar>" imported
#19 0.113 gpg: key 0x7D851EB72D73BDA0: secret key imported
#19 0.113 gpg: Total number processed: 1
#19 0.114 gpg: imported: 1
#19 0.114 gpg: secret keys read: 1
#19 0.114 gpg: secret keys imported: 1
#19 0.116 gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
#19 0.121 OK
#19 0.122 S KEYINFO 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627 D - - 1 P - - -
#19 0.122 OK
#19 0.124 OK
#19 0.125 S KEYINFO BA83FC8947213477F28ADC019F6564A956456163 D - - 1 P - - -
#19 0.125 OK
#19 0.135 created directory: '/root/.password-store/'
#19 0.136 Password store initialized for 7D851EB72D73BDA0
#19 0.139 gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
Some tests that are skipped that still mention travis CI (~not sure we'll be able to run those tests, as it requires a Gnome session IIRC~) edit: never mind; this is the sandboxed tests, so expected.
#19 6.949 === RUN TestSecretServiceHelper
#19 6.949 secretservice_linux_test.go:11: test requires gnome-keyring but travis CI doesn't have it
#19 6.949 --- SKIP: TestSecretServiceHelper (0.00s)
#19 6.949 === RUN TestMissingCredentials
#19 6.949 secretservice_linux_test.go:83: test requires gnome-keyring but travis CI doesn't have it
#19 6.949 --- SKIP: TestMissingCredentials (0.00s)
This one is failing both sandboxed, and non-sandboxed; slightly different error though;
Non-sandboxed (ubuntu 20.04);
=== RUN TestKeyctlHelper
keyctl_linux_test.go:17: failed to list credentials: cannot read default credStore: cannot run keyctl command to created credstore keyring (/usr/bin/keyctl newring keyctlCredsStore 963514388): add_key: Permission denied
: exit status 1
--- FAIL: TestKeyctlHelper (0.04s)
Sandboxed: perhaps capabilities or seccomp?
#19 2.088 === RUN TestKeyctlHelper
#19 2.088 keyctl_linux_test.go:17: failed to list credentials: cannot read default credStore: default persistent keyring cannot be created: cannot run keyctl command to create persistent keyring: keyctl_get_persistent: Operation not permitted
#19 2.088 : exit status 1
#19 2.088 --- FAIL: TestKeyctlHelper (0.00s)
https://man7.org/linux/man-pages/man3/keyctl_get_persistent.3.html
DESCRIPTION
keyctl_get_persistent() gets the persistent keyring for the
specified user ID. Unlike the session and user keyrings, this
keyring will persist once all login sessions have been deleted
and can thus be used to carry authentication tokens for processes
that run without user interaction, such as programs started by
cron.
The persistent keyring will be created by the kernel if it does
not yet exist. Each time this function is called, the persistent
keyring will have its expiration timeout reset to the value in:
/proc/sys/kernel/keys/persistent_keyring_expiry
(by default three days). Should the timeout be reached, the
persistent keyring will be removed and everything it pins can
then be garbage collected.
If uid is -1 then the calling process's real user ID will be
used. If uid is not -1 then error EPERM will be given if the
user ID requested does not match either the caller's real or
effective user IDs or if the calling process does not have SetUid
capability.
If successful, a link to the persistent keyring will be added
into keyring.
Slightly improved the errors to provide more details;
Non-sandboxed (ubuntu 20.04);
=== RUN TestKeyctlHelper
keyctl_linux_test.go:17: failed to list credentials: cannot read default credStore: cannot run keyctl command to create credstore keyring (/usr/bin/keyctl newring keyctlCredsStore 263788617): add_key: Permission denied
: exit status 1
--- FAIL: TestKeyctlHelper (0.03s)
Sandboxed:
#19 1.934 === RUN TestKeyctlHelper
#19 1.934 keyctl_linux_test.go:17: failed to list credentials: cannot read default credStore: default persistent keyring cannot be created: cannot run keyctl command (/bin/keyctl get_persistent @u 0) to create persistent keyring: keyctl_get_persistent: Operation not permitted
#19 1.934 : exit status 1
#19 1.934 --- FAIL: TestKeyctlHelper (0.00s)
Hello, @thaJeztah. I am intrigued by this PR. But I have a question. Can we retrieve the credential if the machine reboots?
quick rebase of https://github.com/docker/docker-credential-helpers/pull/214, and initial work on addressing some issues