Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot forward gpg-agent with devpod in a "docker-in-docker" container #1562

Open
RishikesavanRamesh opened this issue Jan 15, 2025 · 1 comment

Comments

@RishikesavanRamesh
Copy link

What happened?
Cannot forward gpg-agent : gpg agent setup is failing

01:47:55 info Run 'ssh admin-devspace-planets-rosterra.devpod' to ssh into the devcontainer
01:47:55 info Starting vscode in browser mode at http://localhost:10800/?folder=/workspace
01:47:55 info Setting up backhaul SSH connection
01:48:00 info gpg: directory '/home/developer/.gnupg' created
01:48:00 info gpg: keybox '/home/developer/.gnupg/pubring.kbx' created
01:48:00 info gpg: /home/developer/.gnupg/trustdb.gpg: trustdb created
01:48:00 info Reverse forwarding local unix//root/.gnupg/S.gpg-agent.extra to remote unix//root/.gnupg/S.gpg-agent.extra
01:48:00 info Error calling gpg-public-keys: Post "http://localhost:12049/gpg-public-keys": dial tcp [::1]:12049: connect: connection refused
01:48:01 info Error calling gpg-public-keys: Post "http://localhost:12049/gpg-public-keys": dial tcp [::1]:12049: connect: connection refused
01:48:01 info Error calling gpg-public-keys: Post "http://localhost:12049/gpg-public-keys": dial tcp [::1]:12049: connect: connection refused
01:48:02 info Error calling gpg-public-keys: Post "http://localhost:12049/gpg-public-keys": dial tcp [::1]:12049: connect: connection refused
01:48:02 info Fetch public key: get public gpg keys: Post "http://localhost:12049/gpg-public-keys": dial tcp [::1]:12049: connect: connection refused
01:48:02 info get public gpg keys: Post "http://localhost:12049/gpg-public-keys": dial tcp [::1]:12049: connect: connection refused
01:48:02 info Error tunneling to container: wait: remote command exited without exit status or exit signal
01:48:02 info tunnel to container: run in container: run gpg agent setup command: Process exited with status 1
01:48:02 error Failed to setup backhaul SSH connection:  exit status 1
01:48:03 error Try using the --debug flag to see a more verbose output
01:48:03 fatal outer tunnel: exit status 1
/Projects/@admin/_devspace/_planets/_rosterra # gpg --list-keys
[keyboxd]
---------
pub   rsa4096 2025-01-15 [SC]
      4A86D720417928707DCA428CA4E2D4B0AE43916C
uid           [ultimate] Rishikesavan Ramesh (devspace-key) <[email protected]>
sub   rsa4096 2025-01-15 [E]

/Projects/@admin/_devspace/_planets/_rosterra # ps aux | grep gpg
 3775 root      0:00 grep gpg
17868 root      0:03 gpg-agent --verbose --daemon --log-file /tmp/gpg-agent.log --allow-preset-passphrase --default-cache-ttl=31536000
/Projects/@admin/_devspace/_planets/_rosterra # 

What did you expect to happen instead?
I expect the gpg forwarding works correctly, so i can make signed commits withing the devpods running in a dind container

How can we reproduce the bug? (as minimally and precisely as possible)
My Dockerfile, and startup script of main dind container.

/Projects/@admin/_devspace # ls
Dockerfile         README.md          _planets           daemon.json        start_devspace.sh
/Projects/@admin/_devspace # cat Dockerfile 
FROM docker:dind

WORKDIR /Projects

RUN apk update; apk add curl npm tmux gpg gpg-agent nano bash 

RUN curl -L -o devpod "https://github.com/loft-sh/devpod/releases/latest/download/devpod-linux-amd64" && install -c -m 0755 devpod /usr/local/bin && rm -f devpod

RUN mkdir /etc/docker
COPY daemon.json /etc/docker/daemon.json

RUN devpod provider add docker

RUN devpod context set-options -o EXIT_AFTER_TIMEOUT=false
RUN devpod context set-options default -o SSH_INJECT_GIT_CREDENTIALS=true
RUN devpod context set-options default -o SSH_INJECT_DOCKER_CREDENTIALS=true
RUN devpod context set-options default -o GPG_AGENT_FORWARDING=true

RUN npm install -g @devcontainers/cli
/Projects/@admin/_devspace # cat start_devspace.sh 
#!/run/current-system/profile/bin/env bash

docker run -d --name=devspace \
              --privileged \
              --restart unless-stopped \
              --network=host --cap-add=ALL --security-opt seccomp=unconfined \
              --volume /home/rishikesavan/Projects:/Projects \
              --volume /dev:/dev \
              --volume dind-var-lib-docker:/var/lib/docker \
              devspace
/Projects/@admin/_devspace # docker -v
Docker version 27.4.1, build b9d17ea
/Projects/@admin/_devspace # 

My devcontainer.json:
With or without dind feature in this devcontainer, i could not forward gpg agent.

/Projects/@admin/_devspace # cat _planets/_rosterra/.devcontainer/ros2/devcontainer.json 
{
        "dockerComposeFile": ["compose.yml"],
        "service": "ros-dev",
        "runServices": ["ros-dev"],
        "shutdownAction": "stopCompose",
        "workspaceFolder": "/workspace",
        "features": {
//              "ghcr.io/devcontainers/features/docker-in-docker:2": {}
        },
        "customizations": {
                "vscode": {
                        "extensions": [
                                "ms-vscode.cpptools",
                                "ms-vscode.cpptools-themes",
                                "twxs.cmake",
                                "donjayamanne.python-extension-pack",
                                "eamodio.gitlens",
                                "ms-iot.vscode-ros",
                                "ms-azuretools.vscode-docker",
                                "ms-vscode.cmake-tools",
                                "eclipse-cdt.vscode-trace-extension",
                                "eclipse-cdt.vscode-trace-server",
                                "redhat.vscode-xml",
                                "ms-toolsai.jupyter"
                        ]
                }
        },
        "postCreateCommand": "bash /post-create-script.sh"
}

Local Environment:

  • DevPod Version: v0.6.8
  • Operating System: linux
  • ARCH of the OS: AMD64
  • Main linux host docker version : Docker version 27.4.1, build b9d17ea

Anything else we need to know?

@bkneis
Copy link
Contributor

bkneis commented Jan 23, 2025

Hey @RishikesavanRamesh thanks for reporting your issue! Devpod uses a server under the hood running on port 12049 to forward the GPG keys from your local machine to the workspace.

It looks to me like your local machine has some firewall or network policy is blocking port 12049. Can you see if this is the case and if you can remove this? Let me know if that helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants