Docker not start after upgrade to V4, problem with key import

rpo-fr · June 23, 2023, 1:49pm

Checklist
[x ] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[ x] I provide a copy of my logs and healthcheck
[ x] I describe the steps I have taken to trouble shoot the problem
[ x] I describe the steps on how to reproduce the issue

I use docker to host my passbolt environment, and create my docker with a script:

docker run -d \
  --name passbolt-4.0.2\
  --mount type=bind,src=/data/passbolt/gpg,dst=/etc/passbolt/gpg \
  -p 5555:8080 \
  -e DATASOURCES_DEFAULT_PASSWORD=pass \
  -e DATASOURCES_DEFAULT_DATABASE=passbolt \
  -e DATASOURCES_DEFAULT_HOST=db-host \
  -e DATASOURCES_DEFAULT_USERNAME=passbolt \
  -e EMAIL_DEFAULT_FROM=noreply@passbolt.com \
  -e EMAIL_TRANSPORT_DEFAULT_HOST=smtphost \
  -e EMAIL_TRANSPORT_DEFAULT_PORT=587 \
  -e EMAIL_TRANSPORT_DEFAULT_USERNAME=usersmtp\
  -e EMAIL_TRANSPORT_DEFAULT_PASSWORD=passsmtp\
  -e EMAIL_TRANSPORT_DEFAULT_TLS=1 \
  -e APP_FULL_BASE_URL=https://passbolturl.com \
  passbolt/passbolt:4.0.2-2-ce-non-root

With the image 3.12.0-3-ce-non-root, it works: i can stop/start my docker and use passbolt
With 4.0.2, docker doesn’t start and generate this logs:

docker  logs -f passbolt-4.0.2
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key F112DDCE4B41B242: public key "Passbolt default user <passbolt@yourdomain.com>" imported
gpg: can't connect to the agent: End of file
gpg: Total number processed: 1
gpg:               imported: 1

could you help me?

clayton · June 29, 2023, 12:01pm

is that the only output of the logs?

Also you are just running the passbolt container and not the db container like in the docker-compose file, correct?

GuilhermeBarile · August 16, 2023, 1:18pm

I have the same issue here, changing the image to v4 raises this error

gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key XXXXX: public key "Passbolt default user <passbolt@yourdomain.com>" imported
gpg: can't connect to the agent: End of file
gpg: Total number processed: 1
gpg:               imported: 1
gpg: key XXXXX: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: key XXXXX: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: can't connect to the agent: End of file
gpg: error getting the KEK: No agent running
gpg: error reading '/etc/passbolt/gpg/serverkey_private.asc': No agent running
gpg: import from '/etc/passbolt/gpg/serverkey_private.asc' failed: No agent running
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1

3.12.2-1-ce is running without issues. We have the same installation since 2.x and all previous upgrades were smooth, any idea what changed in the 4.x docker releases that could cause this?

I also tried (with 4.0.x, but the latest release gives me the same error)

# docker run --rm -v passbolt_gpg:/etc/passbolt/gpg --entrypoint bash -it passbolt/passbolt:4.0.2-2-ce
root@d69d1ea28f3f:/usr/share/php/passbolt# gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key XXXXX: public key "Passbolt default user <passbolt@yourdomain.com>" imported
gpg: can't connect to the agent: End of file
gpg: error getting the KEK: No agent running
gpg: error reading '/etc/passbolt/gpg/serverkey_private.asc': No agent running
gpg: import from '/etc/passbolt/gpg/serverkey_private.asc' failed: No agent running
gpg: Total number processed: 0
gpg:               imported: 1
gpg:       secret keys read: 1
root@d69d1ea28f3f:/usr/share/php/passbolt# gpg --version
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
gpg (GnuPG) 2.2.40
libgcrypt 1.10.1
Copyright (C) 2022 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /var/lib/passbolt/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

In 3.x, docker has the following gpg version

# docker exec -it passbolt bash
root@2ae0c8f1f8a7:/usr/share/php/passbolt# gpg --version
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /var/lib/passbolt/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Termindiego25 · August 16, 2023, 7:34pm

Have you tried to give the Docker container the fingerprint and email of the key as env variables?
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: “$serverkeyfingerprint”
PASSBOLT_KEY_EMAIL: “$serverkeymail”

Also, you can try to pass the server key as Docker secret, see the documentation on the website:

GuilhermeBarile · August 16, 2023, 8:20pm

After further debugging, I found out that the agent was being started, but it cannot be reached via the socket. Then I found out it works when running the container with --privileged. This could be related to the docker version running on our server (18.06.2-ce).

The weird part is that I tried to run apt update && apt install strace to understand what was blocking the agent to connect to the socket, and that also didn’t work in the 4.x image

dpkg-deb (subprocess): decompressing archive '/var/cache/apt/archives/libunwind8_1.6.2-3_amd64.deb' (size=51172) member 'control.tar': lzma erro
r: Cannot allocate memory
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libunwind8_1.6.2-3_amd64.deb (--unpack):
 dpkg-deb --control subprocess returned error exit status 2

Note: I have plenty of free RAM, this also works when running the container with --privileged.

Since I couldn’t reproduce this locally, my initial conclusion is that something has changed in the build from 3.x to 4.x that’s affecting the run with old docker/kernel, guess it’s time for an upgrade

GuilhermeBarile · August 16, 2023, 10:16pm

Thank you, this was not about the secret (the key itself doesn’t have a password), I just confirmed it works fine with docker Server Version: 23.0.1 / Kernel 5.4.0