e2e: sign image: Unexpected error: can't connect to the gpg-agent #17966
Comments
edsantiago
added
flakes
|
The tests already set I am not sure what's going on. |
|
Ah, ah, ah. We're not using |
No, I don't think I understand what's going on. Calling @mtrmac for help. |
|
First step is to instrument the code so it actually gives a useful error message, no? |
|
I assume our logs catch the full stdout/err, so to get actual output we need to add: I can open a PR to add this so we can read the actual error message from gpg. |
By default go will not keep the stdout/err attach when executing commands via exec.Command(). It is required to explicitly pass the current stdout/err fds down to the child so we can see the error output in the logs to debug containers#17966. Signed-off-by: Paul Holzinger <[email protected]>
|
(Note mostly to self: I can’t see anything obviously problematic in |
|
@edsantiago, do you see this flake after #17976? |
|
Unfortunately, no, but I haven't been as active on my no-retry PR. I ran it several times today and did not see any triggers. Will keep trying. |
|
I don't see any place in tests where podman/test/e2e/image_sign_test.go Line 31 in 3ecb174 Any objection to |
Loose permissions could definitely cause problems but I don't see why that would trigger a flake. Definitely doesn't hurt fixing this up and hope that we will never see it again. |
|
That doesn't seem to be it. gpg will warn, but not fatally: $ mkdir --mode 0777 /tmp/mygpg
$ ls -ld /tmp/mygpg
drwxrwxrwx. 2 esm esm 40 Apr 25 11:24 /tmp/mygpg/
$ GNUPGHOME=/tmp/mygpg gpg --import test/e2e/sign/secret-key.asc
gpg: WARNING: unsafe permissions on homedir '/tmp/mygpg'
gpg: keybox '/tmp/mygpg/pubring.kbx' created
gpg: /tmp/mygpg/trustdb.gpg: trustdb created
gpg: key A9AA07032E8FD9B2: public key "foobar <[email protected]>" imported
gpg: key A9AA07032E8FD9B2: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ echo $?
0 |
|
Finally! Got the flake, with useful log: This is rootless, and [checks] all the above flakes are rootless, so I'm guessing it's becaue of the way rootless-CI is setup up, with ssh? But no, I've looked at environment (view-source on colorized log) and see no AGENT, SSH, GNUPG, or GPG strings. Nor do I find any under |
edsantiago
changed the title
|
As a vague intuition, I wouldn’t be too surprised if Maybe we could set up an agent config file ( https://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html ) enabling logging, and capture the log when the test fails. |
|
I think you're right. I spent waaaaay too long on this last night, giving up in frustration: that gpg agent is annoying. The only conclusion I came to last night was that we need to Serialize al the gpg tests and also kill agents in cleanup. Today, that's still the only option I think feasible, but I hate it so much that I won't even mention it. Oops too late. |
|
For the record, containers/image#1779 includes a way to kill the agent. |
Reason: gpg tests all run with a different GNUPGHOME, and gpg-agent does not like that, and there's no longer any way to run gpg without the agent. So, do not run these tests in parallel, and clean up agent after each test. Fixes: containers#17966 (I hope) May also fix containers#18358 but it will take some time to be sure. Signed-off-by: Ed Santiago <[email protected]>
github-actions
bot
added
the
locked - please file new issue/PR
the ginkgo line seems to be https://github.com/containers/podman/blob/a91cde637ee2b4f6e8db60147b2f46e6fe482476/test/e2e/image_sign_test.go#L48-L50
There's no useful output or any indication of what the error actually is, but I'm going to guess that this is another contention bug which needs to be addressed either via locking or via
$GNUPGHOMEor--homedirPodman image sign [It] podman sign image
The text was updated successfully, but these errors were encountered: