Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman secrets value of type env revealed in container inspection #23788

Closed
bmenant opened this issue Aug 28, 2024 · 1 comment · Fixed by #23959
Closed

Podman secrets value of type env revealed in container inspection #23788

bmenant opened this issue Aug 28, 2024 · 1 comment · Fixed by #23959
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@bmenant
Copy link

bmenant commented Aug 28, 2024

Issue Description

Values of secrets attached to containers with type=env option are available on container inspection (running or exited).
It is not the case with secrets attached with type=mount option.

I do not know if this is expected per specs?

Steps to reproduce the issue

Steps to reproduce the issue

  1. printf 'secret value' | podman secret create mysecret -
  2. podman container run --rm --secret mysecret,type=env -d alpine sleep 300
  3. podman container inspect -l --format '{{ .Config.Env }}'

Describe the results you received

The value of the secret is disclosed on container inspection in the Config.Env attribute: [... mysecret=secret value]
It is not listed in the Config.Secrets attribute.

Describe the results you expected

I’d expect it to not appear in the Config.Env attribute.
I’d expect to find it (undisclosed) in the Config.Secrets attribute, like mount type secrets are.

podman info output

host:
  arch: amd64
  buildahVersion: 1.37.1
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 99
    systemPercent: 0.31
    userPercent: 0.69
  cpus: 16
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "40"
  eventLogger: journald
  freeLocks: 2015
  hostname: fedora
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
  kernel: 6.10.6-200.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 372310016
  memTotal: 14339981312
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.1-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.1
    package: netavark-1.12.1-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.1
  ociRuntime:
    name: crun
    package: crun-1.15-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/user/1001/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240821.g1d6142f-1.fc40.x86_64
    version: |
      pasta 0^20240821.g1d6142f-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1001/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 8586260480
  swapTotal: 8589930496
  uptime: 3h 28m 1.00s (Approximately 0.12 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/bmenant/.config/containers/storage.conf
  containerStore:
    number: 16
    paused: 0
    running: 0
    stopped: 16
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/bmenant/.local/share/containers/storage
  graphRootAllocated: 498387124224
  graphRootUsed: 115184447488
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 134
  runRoot: /run/user/1001/containers
  transientStore: false
  volumePath: /home/bmenant/.local/share/containers/storage/volumes
version:
  APIVersion: 5.2.1
  Built: 1723593600
  BuiltTime: Wed Aug 14 02:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

No response

Additional information

No response
@bmenant bmenant added the kind/bug Categorizes issue or PR as related to a bug. label Aug 28, 2024
@auyer
Copy link
Contributor

auyer commented Sep 4, 2024

Hi. I was able to reproduce this.
Can any maintainer confirm if this should be fixed or is working as intended?

If so, I have an implementation ready.
Should there be an option to allow showing/hiding these secrets ? Or always hide it by default?
image

Thanks.

@auyer auyer mentioned this issue Sep 15, 2024
Merged
auyer added a commit to auyer/podman that referenced this issue Sep 17, 2024
@auyer
libpod: hides env secrets from container inspect
a5e9b4d 
Replaces env values supplied from podman secrets,
returns ******* instead

Fixes: containers#23788

Signed-off-by: Rafael Passos <[email protected]>
@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Dec 17, 2024
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Dec 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Hide secrets from container inspect command auyer/podman
3 participants
@bmenant @auyer and others