images: Create the directory for configuring PKCS#11 modules#1643
Merged
debarshiray merged 2 commits intocontainers:mainfrom May 7, 2025
Merged
Conversation
The /etc/pkcs11 directory and /etc/pkcs11/pkcs11.conf.example file are created by the p11-kit package in Arch Linux, and the lib11-kit package provides p11-kit-client.so. However, the /etc/pkcs11/modules directory that's necessary to configure p11-kit to use p11-kit-client.so is not created by any package. It's better to ensure that the /etc/pkcs11/modules directory exists in the image, instead of having the Toolbx container's entry point create it at runtime, because it can be a confirmation that p11-kit was built to read the module configuration from this location. This should have been part of commit 259de86. containers#626
debarshiray
commented
May 7, 2025
The p11-kit-modules package in Ubuntu provides p11-kit-client.so, but the /etc/pkcs11/modules directory that's necessary to configure p11-kit to use p11-kit-client.so is not created by any package. It's better to ensure that the /etc/pkcs11/modules directory exists in the image, instead of having the Toolbx container's entry point create it at runtime, because it can be a confirmation that p11-kit was built to read the module configuration from this location. This should have been part of commit aa85077. containers#626
debarshiray
commented
May 7, 2025
| RUN sed -i '/^auth.*pam_unix.so/s/nullok_secure/try_first_pass nullok/' /etc/pam.d/common-auth | ||
|
|
||
| # Enable the use of p11-kit-client.so to access CA certificates from the host | ||
| RUN mkdir --parents /etc/pkcs11/modules |
Member
Author
There was a problem hiding this comment.
@Jmennius I wonder if libp11-kit0 or p11-kit-modules should create the etc/pkcs11/modules directory?
Member
Author
|
The |
This was referenced May 7, 2025
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this pull request
May 10, 2025
This uses the same approach taken by Flatpak [1] to ensure that the certificates from certificate authorities (or CAs) that are available inside a Toolbx container are kept synchronized with the host operating system. Any program that uses PKCS containers#11 to access CA certificates should see the same ones both inside the container and on the host. During every 'enter' and 'run' command, toolbox(1) ensures that an instance of 'p11-kit server' is running on the host listening on a local file system socket that's accessible to both the container and the host. If an instance is already running, then a second one is not created. The location of the socket is injected into the container through the P11_KIT_SERVER_ADDRESS environment variable. The Toolbx container's entry point configures it to use the p11-kit-client.so PKCS containers#11 module instead of the usual p11-kit-trust.so module. This talks to the 'p11-kit server' instance running on the host over the socket instead of reading the CA certificates that are present inside the container. However, unlike Flatpak, this doesn't use D-Bus to set up the communication between the container and the host, because when invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user. This set-up is skipped if 'p11-kit server' can't be run on the host, or if the /etc/pkcs11/modules directory for configuring PKCS containers#11 modules or p11-kit-client.so are missing inside the container. None of these are considered hard dependencies to accommodate size-constrained OSes like Fedora CoreOS that might not have 'p11-kit server', and existing Toolbx containers and old images that might not have p11-kit-client.so. Verions of lsof from 4.88 to older than 4.94.0 always select the file descriptor field [2], and these are present in versions of Ubuntu from 16.04 to 22.04. This needs to be factored in as long as a Ubuntu 22.04 host is used to run the CI. One option is to always select the file descriptor field even though it's not really needed for the tests. The ubuntu-toolbox:22.04 has been failing to rebuild [3]: STEP 6/10: RUN sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/local/sbin/unminimize && apt-get update && yes | /usr/local/sbin/unminimize && DEBIAN_FRONTEND=noninteractive apt-get -y install ubuntu-minimal ubuntu-standard libnss-myhostname flatpak-xdg-utils $(cat extra-packages | xargs) && rm -rd /var/lib/apt/lists/* ... ... (Reading database ... 100% (Reading database ... 4387 files and directories currently installed.) Preparing to unpack .../libc-bin_2.35-0ubuntu3.9_arm64.deb ... Unpacking libc-bin (2.35-0ubuntu3.9) over (2.35-0ubuntu3.9) ... Setting up libc-bin (2.35-0ubuntu3.9) ... qemu: uncaught target signal 11 (Segmentation fault) - core dumped Segmentation fault (core dumped) qemu: uncaught target signal 11 (Segmentation fault) - core dumped Segmentation fault (core dumped) dpkg: error processing package libc-bin (--configure): installed libc-bin package post-installation script subprocess returned error exit status 139 Errors were encountered while processing: libc-bin E: Sub-process /usr/bin/dpkg returned an error code (1) ... It's probably some network problem because it doesn't reliably occur everywhere. Until this gets sorted out, Toolbx containers created from the ubuntu-toolbox:22.04 won't have access to the CA certificates from the host. The fedora-toolbox and the UBI-based toolbox images haven't yet been updated to contain p11-kit-client.so. Until that happens, containers created from them won't have access to the CA certificates from the host. [1] Flatpak commit 66b2ff40f7caf3a7 flatpak/flatpak@66b2ff40f7caf3a7 flatpak/flatpak#1757 p11-glue/p11-kit#68 [2] lsof commit 811dc78cc6404cb3 lsof-org/lsof@811dc78cc6404cb3 lsof-org/lsof#125 lsof-org/lsof#103 [3] containers#1634 containers#1643 containers#626
debarshiray
added a commit
to debarshiray/toolbox
that referenced
this pull request
May 10, 2025
This uses the same approach taken by Flatpak [1] to ensure that the certificates from certificate authorities (or CAs) that are available inside a Toolbx container are kept synchronized with the host operating system. Any program that uses PKCS containers#11 to access CA certificates should see the same ones both inside the container and on the host. During every 'enter' and 'run' command, toolbox(1) ensures that an instance of 'p11-kit server' is running on the host listening on a local file system socket that's accessible to both the container and the host. If an instance is already running, then a second one is not created. The location of the socket is injected into the container through the P11_KIT_SERVER_ADDRESS environment variable. The Toolbx container's entry point configures it to use the p11-kit-client.so PKCS containers#11 module instead of the usual p11-kit-trust.so module. This talks to the 'p11-kit server' instance running on the host over the socket instead of reading the CA certificates that are present inside the container. However, unlike Flatpak, this doesn't use D-Bus to set up the communication between the container and the host, because when invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user. This set-up is skipped if 'p11-kit server' can't be run on the host, or if the /etc/pkcs11/modules directory for configuring PKCS containers#11 modules or p11-kit-client.so are missing inside the container. None of these are considered hard dependencies to accommodate size-constrained OSes like Fedora CoreOS that might not have 'p11-kit server', and existing Toolbx containers and old images that might not have p11-kit-client.so. Verions of lsof from 4.88 to older than 4.94.0 always select the file descriptor field [2], and these are present in versions of Ubuntu from 16.04 to 22.04. This needs to be factored in as long as a Ubuntu 22.04 host is used to run the CI. One option is to always select the file descriptor field even though it's not really needed for the tests. The ubuntu-toolbox:22.04 has been failing to rebuild [3]: STEP 6/10: RUN sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/local/sbin/unminimize && apt-get update && yes | /usr/local/sbin/unminimize && DEBIAN_FRONTEND=noninteractive apt-get -y install ubuntu-minimal ubuntu-standard libnss-myhostname flatpak-xdg-utils $(cat extra-packages | xargs) && rm -rd /var/lib/apt/lists/* ... ... (Reading database ... 100% (Reading database ... 4387 files and directories currently installed.) Preparing to unpack .../libc-bin_2.35-0ubuntu3.9_arm64.deb ... Unpacking libc-bin (2.35-0ubuntu3.9) over (2.35-0ubuntu3.9) ... Setting up libc-bin (2.35-0ubuntu3.9) ... qemu: uncaught target signal 11 (Segmentation fault) - core dumped Segmentation fault (core dumped) qemu: uncaught target signal 11 (Segmentation fault) - core dumped Segmentation fault (core dumped) dpkg: error processing package libc-bin (--configure): installed libc-bin package post-installation script subprocess returned error exit status 139 Errors were encountered while processing: libc-bin E: Sub-process /usr/bin/dpkg returned an error code (1) ... It's probably some network problem because it doesn't reliably occur everywhere. Until this gets sorted out, Toolbx containers created from the ubuntu-toolbox:22.04 won't have access to the CA certificates from the host. The fedora-toolbox and the UBI-based toolbox images haven't yet been updated to contain p11-kit-client.so. Until that happens, containers created from them won't have access to the CA certificates from the host. [1] Flatpak commit 66b2ff40f7caf3a7 flatpak/flatpak@66b2ff40f7caf3a7 flatpak/flatpak#1757 p11-glue/p11-kit#68 [2] lsof commit 811dc78cc6404cb3 lsof-org/lsof@811dc78cc6404cb3 lsof-org/lsof#125 lsof-org/lsof#103 [3] containers#1634 containers#1643 containers#626
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It's better to ensure that the
/etc/pkcs11/modulesdirectory exists in the image, instead of having the Toolbx container's entry point create it at runtime, because it can be a confirmation that p11-kit was built to read the module configuration from this location.#626