Can't run gnome-keyring or setcap - no IPC_LOCK privilege?
elliot-nelson opened this issue · comments
Description
I'd like to run gnome-keyring in a CI workflow to unlock a keystore. In our past Azure DevOps and Jenkins workflows, we did this as follows:
sudo apt-get update
sudo apt-get install -y dbus dbus-x11 gnome-keyring
gnome-keyring-daemon --unlock
# => output: gnome-keyring-daemon: Operation not permitted
To fix this we tried running setcap:
setcap -r /usr/bin/gnome-keyring-daemon
# => unable to set CAP_SETFCAP effective capability: Operation not permitted
Doing some googling, it appears maybe that the default runners don't have IPC_LOCK permission -- I'm not sure if this is intentional or an oversight, but it seems to prevent using keyring to interact with keystores and certificates.
Platforms affected
- Azure DevOps
- GitHub Actions - Standard Runners
- GitHub Actions - Larger Runners
Runner images affected
- Ubuntu 18.04
- Ubuntu 20.04
- Ubuntu 22.04
- macOS 10.15
- macOS 11
- macOS 12
- Windows Server 2019
- Windows Server 2022
Image version and build link
20221125.1
Is it regression?
not sure
Expected behavior
gnome-keyring-daemon
works out of the box once installed -- or barring that, allows setcap
to allow it to run.
Actual behavior
Neither the keyring daemon or setcap is permitted, effectively preventing the functionality.
Repro steps
Example job:
jobs:
example:
runs-on: ubuntu-latest
steps:
- name: Prepare certificates
run: |
# Install dbus and gnome-keyring
sudo apt-get update
sudo apt-get install -y dbus dbus-x11 gnome-keyring
# Allow keyring daemon to run in containers
setcap -r /usr/bin/gnome-keyring-daemon
# Start gnome keyring
dbus-launch --sh-syntax >"$HOME/.dbus_settings"
. "$HOME/.dbus_settings"
echo CI_SESSION | gnome-keyring-daemon --unlock
echo Success.
feel free to reach us again if you have questions left!