Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to use GnuPG inside Docker containers, as it is missing entropy?

Tags:

docker

gnupg

entropy

openpgp

I need to dockerize an apt repository. The packages in it need to be signed, which is currently done by aptly publish snapshot -distribution="stable" -gpg-key="<key id>" my-snapshot

Before that a key needs to be created using gpg --gen-key.

But this way the private key will be crated inside the docker image, which doesn't seem to be a good practice. Besides, id doesn't even work; running gpg --gen-key --batch <gpg.in gets stuck:

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)

I don't know if it's even possible to generate a gpg key inside a docker container, and even if it is, it may not be a good idea.

Is there a way to sign the contents of the repo by an external key?

like image 507
Michael Ivko Avatar asked Jun 01 '15 12:06

Michael Ivko

1 Answers

Missing Entropy

Docker does not provide a virtual /dev/[u]random devices. If you haven't got enough entropy in the container, you haven't got enough entropy on the host.

Check the contents of /proc/sys/kernel/random/entropy_avail, they should be pretty much the same on both the Docker host and container (if the number is slightly different, it just changes very frequently, otherwise recheck a few times).

Possible reasons:

  • Running the docker host in a virtual machine, for example because of boot2docker or a self-constructed virtual machine. Just make sure to get more entropy inside your virtual machine, havegd is a very easy solution for a developer machine, but might not be appropriate for production.
  • Another container/application is using up all entropy. Realize which one and interrupt/terminate it, or generate more entropy.
  • You're generally not having enough entropy. Do some work (mouse/keyboard movements, (hard) disk I/O).

Externally Generating a Key Pair

Anyway, it might be more reasonable to generate a key on a real machine, and only move a (private) subkey to the server. This way, you can exchange the subkey every now and then (and in case it was compromised). Read What is a good general purpose GnuPG key setup? for an introduction to different things to consider while setting up OpenPGP keys.

While building the Docker image, use COPY to get the file into the machine, and then gpg --import it in the Dockerfile. Afterwards, it is available exactly the same way it would've been if you generated it inside the container using gpg --gen-key.

like image 57
Jens Erat Avatar answered Oct 20 '22 13:10

Jens Erat
Sign in to Comment

Related questions

Enabling webpack hot-reload in a docker application
How to share localhost between two different Docker containers?
"Invalid configuration for registry" error when executing "eb local run"
Postgres with Docker: Postgres fails to load when persisting data
Getting forbidden error while using nginx inside docker
Docker not updating changes in directory
Docker Compose: Should I have multiple docker-compose files?
Can a docker image based on Ubuntu run in Redhat?
Printing from inside a docker container
Run SpringBoot-based docker image return error message:Invalid or corrupt jarfile /app.jar
Best way to install java 8 using docker?
Docker on Windows: how to connect to container from host using container IP?
failed: port is already allocated
How to dockerize an ASP.NET Core 2.0 application?
How to compile a c++ application using static opencv libraries within docker
Purpose of FROM command - Docker file
Missing log lines when writing to cloudwatch from ECS Docker containers
How to limit memory usage in docker-compose?
docker-compose to run django with mongodb
Jenkins in docker with access to host docker

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!