(I have this mostly working with one small problem)
I am using Docker to setup a work environment that still has access to some parts of my host system. I use pass
(which uses GPG) to store various tokens, passwords, etc. I am trying to gain access to my host’s password store inside the docker container.
My docker run command looks like the following:
docker run -it --rm \
-v "${HOME}/.gnupg/pubring.kbx:/home/me/.gnupg/pubring.kbx:ro" \
-v "${HOME}/.gnupg/S.gpg-agent:/home/me/.gnupg/S.gpg-agent:ro" \
-v "${HOME}/.password-store:/home/me/.password-store:ro" \
-v "${HOME}/work:/home/me/work" \
work_container:latest
# The gpg socket being read-only or not seems to not make a difference
With this setup, I can use pass
from inside the docker container as if I were running pass on the host–just one problem. My GPG private key has a password on it. For everything to work, I have to enter the password on my host (by running pass show token
for example) to put GPG on the passphrase timeout. Only then can I use pass
within the container freely.
Ideally, I want GPG to prompt me for my private key’s password from inside the container whenever it needs to, as it would normally. So,
from: run pass
in container → fail → run pass
on host to trigger prompt → password prompt → run pass
in container → success
to: run pass
in container → password prompt → success
If I haven’t put GPG on passphrase timeout, it reports back the following error:
$ pass show token # in container
gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: decryption failed: No secret key
For reference, the Dockerfile I’m building looks essentially like the following:
FROM alpine:latest
ARG USERNAME=me
WORKDIR "/home/${USERNAME}"
COPY dotfiles "/home/${USERNAME}/dotfiles"
RUN apk update \
&& apk add git tmux bash fzf exa \
openssh curl sudo pass \
neovim go perl \
terraform ansible \
;
# Add user with no password and sudo-no-password permissions on all commands
# `adduser -s /bin/bash` seems to do nothing
RUN adduser -D -s /bin/bash "${USERNAME}" \
&& addgroup "${USERNAME}" wheel \
&& printf %s\\n "%wheel ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers \
&& passwd -d "${USERNAME}"
# Not sure this line does anything meaningful
USER ${USERNAME}
# Set permissions so GPG doesn't complain
RUN mkdir -p .gnupg \
&& chown -R ${USERNAME} .gnupg \
&& chmod 700 .gnupg
# go version must >= 1.17, otherwise `lf` install is different
RUN . .profile; \
env CGO_ENABLED=0 go install -ldflags="-s -w" github.com/gokcehan/lf@latest
CMD ["/bin/bash"]