I’m trying to use the secret-tool command to store a secret securely in a running headless CentoS 7.5.1804 Docker container, but can’t seem to find which packages and/or configuration is necessary to make this work successfully.
Specifically, I want to be able to run this command:
printf "aPassword" | secret-tool store --label="test" foo bar
And be able to see that password by running:
secret-tool lookup foo bar
When I run the secret-tool store command, I get this:
printf 'aPassword' | secret-tool store --label="test" foo bar ** Message: Remote error from secret service: org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Secret.Collection' on object at path /org/freedesktop/secrets/collection/login secret-tool: No such interface 'org.freedesktop.Secret.Collection' on object at path /org/freedesktop/secrets/collection/login
I’ve followed the ArchLinux Gnome/Keyring wiki page and attempted to do the same on a CentOS Docker container via the following steps:
docker run --privileged -it centos:centos7.5.1804 /bin/bash # remainder of commands are in the container bash shell: printf 'search localhost.localdomainnnameserver 8.8.8.8nameserver 8.8.4.4' > /etc/resolv.conf yum -y update yum -y install sudo gnome-keyring libsecret dbus-x11 yum clean all && rm -rf /var/cache/yum export DISPLAY=“:0.0” eval "$(dbus-launch --sh-syntax)" mkdir -p ~/.cache mkdir -p ~/.local/share/keyrings eval $(gnome-keyring-daemon --start) export SSH_AUTH_SOCK
From what I can tell, this should provide everything needed (gnome-keyring daemon, dbus session and secret-tool + libsecret) to allow the secret-tool store command to succeed, but if fails.
What am I missing?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
A year later, and I was able to revisit this. After a full day of researching and trying various things, I was finally able to figure this out. I hope this answer saves others the days of productivity I lost!
The missing link in the chain was that a keyring has to be created first before entries can be saved to it. In this docker context, there is no user account, no login, etc – so no keyring that would have automatically been created by a desktop manager like Gnome.
As a result, you have to:
- First create the keyring manually and then
- Start the keyring daemon manually
When creating, the command requires a password from stdin to initialize the keyring. In this docker example, because it’s just for testing and not actually used by a real user, I’m using a dummy password of a newline n that is piped in to both the --unlock scenario (which creates a keyring the first time it’s called) and the --start scenario which actually starts the daemon.
Here’s the final working set of commands. Note that the official base centos docker image isn’t used – systemd services must be running for DBus, so we must use the official centos/systemd image instead:
docker run --privileged -d -v /sys/fs/cgroup:/sys/fs/cgroup:ro --name centos-systemd centos/systemd docker exec -it centos-systemd /bin/bash # remainder of commands are in the container bash shell: yum -y install gnome-keyring libsecret dbus-x11 eval "$(dbus-launch --sh-syntax)" mkdir -p ~/.cache mkdir -p ~/.local/share/keyrings # where the automatic keyring is created # 1. Create the keyring manually with a dummy password in stdin eval "$(printf 'n' | gnome-keyring-daemon --unlock)" # 2. Start the daemon, using the password to unlock the just-created keyring: eval "$(printf 'n' | /usr/bin/gnome-keyring-daemon --start)"
Once this has been done, we can now store and lookup passwords:
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b9cbd6d6cdf98f898ad8888b8bdf8e8c8c8c">[email protected]</a> /]# secret-tool lookup foo bar [<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="75071a1a0135434546144447471342404040">[email protected]</a> /]# printf "aPassword" | secret-tool store --label="test" foo bar [<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="364459594276000605570704045001030303">[email protected]</a> /]# secret-tool lookup foo bar aPassword [<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="384a57574c780e080b59090a0a5e0f0d0d0d">[email protected]</a> /]#
Method 2
Here are my commands on a headless VM of Ubuntu:
apt install dbus-x11 gnome-keyring libsecret # ~79MB export $(dbus-launch) eval "$(echo 'n' | gnome-keyring-daemon --unlock)" echo <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3e4646467e59535f5752105d5153">[email protected]</a> | secret-tool store --label="main" email address echo $(secret-tool lookup email address) kill -9 $(pgrep -f gnome-keyring-daemon) # echo $(secret-tool lookup email address) # no longer gives password
It looks like the keyring will need to be unlocked in any script to retrieve the secrets.
The trick was really using the eval command which I thought was just for Docker. This is the error without that, which has no solution on the net including a couple GitHub projects.
“secret-tool: Cannot create an item in a locked collection”
EDIT, this only worked once. Even after using -r to restart the daemon, killing the processes and rebooting. I cant get any new secrets even with different names, nor retrieve the stored one.
Error “secret-tool: Cannot create an item in a locked collection”
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0