buildah icon indicating copy to clipboard operation
buildah copied to clipboard

Published 20 hours ago verified publisher icon containers

Secret src not working if env variable matches id

Open KenMacD opened this issue 1 year ago • 3 comments

Description

When building with a secret, that secret is empty if an environment variable exists with a name matching the id of the secret.

Steps to reproduce the issue:

  1. Create a simple Dockerfile using a secret
FROM busybox

RUN --mount=type=secret,id=FOO \
    echo $FOO && \
    ls -al /run/secrets && \
    echo -n "/run/secrets/FOO is: " && \
    cat /run/secrets/FOO && \
    echo ""
  1. Create a file to store the secret:
echo -n "SECRET" >bar
  1. Build works correctly without environment variable:
$ env -u FOO buildah build --secret "id=FOO,src=bar" .
STEP 1/2: FROM busybox
STEP 2/2: RUN --mount=type=secret,id=FOO     echo $FOO &&     ls -al /run/secrets &&     echo -n"/run/secrets/FOO is: " &&     cat /run/secrets/FOO &&     echo ""

total 4
drwxr-xr-x    1 root     root             6 Jan 18 20:11 .
drwxr-xr-x    1 root     root            40 Jan 18 20:11 ..
-r--------    1 root     root             7 Jan 18 20:11 FOO
/run/secrets/FOO is: SECRET
COMMIT
  1. Run with an environment variable set, and secret fails:
FOO=ABCD buildah build --secret "id=FOO,src=bar" .
STEP 1/2: FROM busybox
STEP 2/2: RUN --mount=type=secret,id=FOO     echo $FOO &&     ls -al /run/secrets &&     echo -n "/run/secrets/FOO is: " &&     cat /run/secrets/FOO &&     echo ""

total 0
drwxr-xr-x    1 root     root             6 Jan 18 20:13 .
drwxr-xr-x    1 root     root            40 Jan 18 20:13 ..
-r--------    1 root     root             0 Jan 18 20:13 FOO
/run/secrets/FOO is:
COMMIT

Output of rpm -q buildah or apt list buildah:

$ readlink (which buildah)
/nix/store/b9x0ibs6p4ylqkng007z0wv36b7vd24s-buildah-wrapper-1.33.2/bin/buildah

Output of buildah version:

buildah version
Version:         1.33.2
Go Version:      go1.21.5
Image Spec:      1.1.0-rc.5
Runtime Spec:    1.1.0
CNI Spec:        1.0.0
libcni Version:  v1.1.2
image Version:   5.29.0
Git Commit:
Built:           Mon Dec 31 20:00:00 1979
OS/Arch:         linux/amd64
BuildPlatform:   linux/amd64

Output of podman version if reporting a podman build issue:

Client:       Podman Engine
Version:      4.8.3
API Version:  4.8.3
Go Version:   go1.21.5
Built:        Mon Dec 31 20:00:00 1979
OS/Arch:      linux/amd64

Output of cat /etc/*release:

DISTRIB_CODENAME=uakari
DISTRIB_DESCRIPTION="NixOS 24.05 (Uakari)"
DISTRIB_ID=nixos
DISTRIB_RELEASE="24.05"
LSB_VERSION="24.05 (Uakari)"
BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
BUILD_ID="24.05.20240117.842d9d8"
DOCUMENTATION_URL="https://nixos.org/learn.html"
HOME_URL="https://nixos.org/"
ID=nixos
LOGO="nix-snowflake"
NAME=NixOS
PRETTY_NAME="NixOS 24.05 (Uakari)"
SUPPORT_URL="https://nixos.org/community.html"
VERSION="24.05 (Uakari)"
VERSION_CODENAME=uakari
VERSION_ID="24.05"

Output of uname -a:

Linux build 6.7.0 #1-NixOS SMP PREEMPT_DYNAMIC Sun Jan  7 20:18:38 UTC 2024 x86_64 GNU/Linux

Output of cat /etc/containers/storage.conf:

cat /etc/containers/storage.conf
[storage]
driver = "overlay"
graphroot = "/var/lib/containers/storage"
runroot = "/run/containers/storage"

KenMacD avatar Jan 18 '24 20:01 KenMacD

@ashley-cui any thoughts?

TomSweeneyRedHat avatar Jan 19 '24 15:01 TomSweeneyRedHat

Might be a bug? I'll take a look

ashley-cui avatar Jan 19 '24 15:01 ashley-cui

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Feb 19 '24 00:02 github-actions[bot]