All geek questions in one place

How to use GnuPG inside Docker containers since there is no entropy?

I need to pin an apt repository. Packets in it must be signed, which is currently running aptly publish snapshot -distribution="stable" -gpg-key="<key id>" my-snapshot

Before that, the key must be created using gpg --gen-key .

But in this way, the private key will be broken inside the docker image, which does not seem to be a good practice. In addition, id does not even work; running gpg --gen-key --batch <gpg.in gets stuck:

 Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 284 more bytes)

I don’t know if it’s possible to create the gpg key inside the docker container, and even so, this might not be a good idea.

Is there a way to sign the contents of a repo with a foreign key?

+6
source share
4 answers

No entropy

Docker does not provide virtual devices /dev/[u]random . If you don’t have enough entropy in the container, you don’t have enough entropy on the host.

Check the contents of /proc/sys/kernel/random/entropy_avail , they should be almost the same on the host and the Docker container (if the number is slightly different, it just changes very often, otherwise check back several times).

Possible reasons:

  • Running the docker host in a virtual machine, for example, because of boot2docker or a self-built virtual machine. Just make sure you have more entropy inside your virtual machine, havegd is a very simple solution for a developer's machine, but may not be suitable for production.
  • Another container / application uses all entropy. Implement which one to interrupt / terminate or create more entropy.
  • Usually you do not have enough entropy. Do some work (mouse / keyboard movement, (hard) I / O drive).

External key pair creation

In any case, it would be wiser to create a key on a real machine and only move the (closed) subsection to the server. Thus, you can exchange the unit from time to time (and if it is compromised). Read What is GnuPG Shared Key Configuration for General Purpose? to familiarize yourself with the various things to consider when setting up OpenPGP keys.

When creating a Docker image, use COPY to get the file in the machine, and then gpg --import in the Docker file. Subsequently, it is available exactly as if you created it inside a container using gpg --gen-key .

+3
source

Create a key outside of docker build , inside the same directory tree as your Dockerfile . Then you can ADD enter the key to the image, and it will be available for aptly . Remember that this image now contains the GPG private key, so it must be kept as confidential as this key.

If you want to use the key inside the running container (and not when creating the image), use the -v flag to mount the key file inside the image. (This allows you to publish the image without publishing the private key.

+1
source

I was able to significantly speed up the creation of entropy by checking some websites when connecting to the docker container, where the gpg key was generated.

 $ docker exec -it blimp_mailpilekermit_1 bash mailpile@mailpile-kermit :~$ ping google.com & mailpile@mailpile-kermit :~$ ping cloudfleet.io & mailpile@mailpile-kermit :~$ cat /proc/sys/kernel/random/entropy_avail 757

This led the gpg process to complete the key generation process with 2048 bits relatively quickly.

+1
source

Flood pinging the frontend (from another host) will also add entropy to the pool.

eg. ping -f $ EXTERNALIP

You need to be root and it’s better not to do this on the network you are interested in.

0
source

Source: https://habr.com/ru/post/988315/

More articles:


All Articles