remove/unmount secrets from container after container starts

[tmstn]

Is there a way for secrets to be removed from a container once it is running and any services that use them have started? I don't mind this being an exec command that runs inside the container rather than a call to the container from the outside. I have tried removing them with rm but as they seem to be mounted with fuse, I get a Device or resource busy error.

[rhatdan]

Why not pass them in as environment variables, then only the primary process gets them and it can choose whether to pass them on to other processes or to unset it from the environment.

[tmstn]

I wasn't even aware that you could do that. That makes things easy. Thanks a lot 👍

[tmstn]

Where are podman secrets env vars written to in container. Unsetting the env vars only affects the current process and I want to make the changes permanent.

My workflow would be:

1. podman create [image]
2. podman start [container]
3. podman exec [containerid] provbox (provision script that uses the secrets and "unsets" them)

Now in that exec process the secrets no longer exist but if later, I podman exec -it [containerid] /bin/bash and run env the secrets will still exist because unset is only removing them from the step 3 process. How can I delete the secrets entirely from env in the running container.

I could place the secret purge script in ~/.bashrc but if someone manages to access the container with /bin/sh, the secrets will still exist. I looked in /etc/profile and /etc/environment and found nothing.

[tmstn]

Okay, it seems that in privileged containers, I can mount the secrets and then run umount /run/secrets/{secret_name} inside the container to unmount the secret.

As these are fuse mounts from outside the container, are there any commands that can be run on the host to interrupt and unmount them?

[zackattackz]

@tmstn

The umount method seems pretty great :)

Would you happen to know if after unmounting the secret contents are no longer accessible in plaintext anywhere?

While it is true that unmounting would make the secret inaccessible from within the container, I'm still wondering if the host machine would actually still have some volume somewhere holding the secret in plaintext while the container is still active?

I'm just trying to ensure that the secret isn't lingering anywhere after I'm done using it in my container, I'd imagine unmounting would do this but I wasn't sure how exactly the secrets were getting mounted behind the scenes.

If you have any insight I greatly appreciate it !

[zackattackz]

Also, do you think there could be any strategies for removing the secret in a non-privileged container?

[tmstn]

I'm not sure because I do not know how the secrets are stored and mounted to the containers. The podman team would be better suited to answer your questions (and mine too hopefully).

[zackattackz]

@rhatdan

Thank you for the follow up, I appreciate your time :)

I do understand that the secrets are stored unencrypted by default, but also secrets hidden from the host is not what I am looking for. Let me explain further:

I developed a simple driver for secret-create's shell driver which utilizes the host's keyring to retrieve encrypted secrets from the host's machine at run time of the container.

The only issue now in my eyes is that, at run time, the secret exists unencrypted. Obviously a secret needs to be unencrypted to be used by the container, but once the container is done using the secret for an initial authentication process, I want to remove the unencrypted secret from both the system AND the host.

Removal from the container seems to be accomplished with echo '' > /run/secrets/x, but I just wanted clarification on where the secret is stored in the host after the shell driver fetches it. Would the above also wipe the fetched secret from the host if this mount point is shared between the two?

Again, my concern isn't to erase the encrypted secret from the host system, it is to erase the unencrypted temporary file that is generated by podman run

This should reasonably be possible I think.

Thank you once again

[zackattackz]

@tmstn

I can share a simple driver I am working on that uses the python keyring library for fetching encrypted secrets.

You use it in junction with secret create's --driver=shell option.

So far I've only tested it on Linux, so I'm unsure if you need Mac or windows support. But it should be possible in theory because the keyring library supports Mac and windows by default

[zackattackz]

OK, so I've found out that you can use podman container inspect -l --format '{{.StaticDir}}' to find where the secrets directory is on the host.

It seems that my theory is good! After wiping the secret file on the container, the file also present in the static dir is also wiped (and vise-versa, if you wipe it on the host it will be wiped in the container).

So this seems like a sound way to do what I need.

Assuming that the secret isn't also kept somewhere else, or in memory somewhere.. But this is about as far as I'm willing to investigate right now lol

[rhatdan]

Nope that makes sense, and that is the only place it is stored.

[zackattackz]

Sweet, thanks for the feedback 😃