Giters

actions / runner-images

GitHub Actions runner images

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Can't run gnome-keyring or setcap - no IPC_LOCK privilege?

elliot-nelson opened this issue · comments

commented

Description

I'd like to run gnome-keyring in a CI workflow to unlock a keystore. In our past Azure DevOps and Jenkins workflows, we did this as follows:

sudo apt-get update
sudo apt-get install -y dbus dbus-x11 gnome-keyring
gnome-keyring-daemon --unlock
# => output: gnome-keyring-daemon: Operation not permitted

To fix this we tried running setcap:

setcap -r /usr/bin/gnome-keyring-daemon
# => unable to set CAP_SETFCAP effective capability: Operation not permitted

Doing some googling, it appears maybe that the default runners don't have IPC_LOCK permission -- I'm not sure if this is intentional or an oversight, but it seems to prevent using keyring to interact with keystores and certificates.

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04
  • macOS 10.15
  • macOS 11
  • macOS 12
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

20221125.1

Is it regression?

not sure

Expected behavior

gnome-keyring-daemon works out of the box once installed -- or barring that, allows setcap to allow it to run.

Actual behavior

Neither the keyring daemon or setcap is permitted, effectively preventing the functionality.

Repro steps

Example job:

jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - name: Prepare certificates
        run: |
          # Install dbus and gnome-keyring
          sudo apt-get update
          sudo apt-get install -y dbus dbus-x11 gnome-keyring

          # Allow keyring daemon to run in containers
          setcap -r /usr/bin/gnome-keyring-daemon

          # Start gnome keyring
          dbus-launch --sh-syntax >"$HOME/.dbus_settings"
          . "$HOME/.dbus_settings"
          echo CI_SESSION | gnome-keyring-daemon --unlock

          echo Success.
commented

I am unable to reproduce the issue:

image

sudo apt-get install -y dbus dbus-x11 gnome-keyring
gnome-keyring-daemon --unlock

You probably should not modify dbus launch or run it at all, as it is handled by the dbus user socket itself which is run on the agent

commented

feel free to reach us again if you have questions left!