amazon-s3dockergnupgalpine-linuxduplicity

"Not a tty" error in Alpine-based duplicity image


This is my first ever question at stackoverflow, so I hope it'll adhere to the community guidelines:

I've build a docker image based on an already existing image which has the sole purpose of running duplicity in an container to backup files and folders to an Amazon S3 bucket in Europe.

Duplicity worked for a couple of days when being run manually inside a container resulting from the image. Now I moved on to run containers via unit files on the host with CoreOS and things don't work anymore - but the command also won't work it I run it manually inside a duplicity container..

The run command:

 docker run --rm  --env-file=<my backup env file>.env --name=<container image> -v <cache container>:/home/duplicity/.cache/duplicity -v <docker volume with gpg keys>:/home/duplicity/.gnupg --volumes-from <docker container of interest> gymnae/duplicity

the env-file contains the following:

PASSPHRASE=<my super secret passphrase>
AWS_ACCESS_KEY_ID=<my aws access key id>
AWS_SECRET_ACCESS_KEY=<my aws access key>
SOURCE_PATH=<where does the data come from>
REMOTE_URL=s3://s3.eu-central-1.amazonaws.com/<my bucket>
PARAMS_CLEAN="--remove-older-than 3M --force --extra-clean"
ENCRYPT_KEY=<derived from the gpg key>

And the init.sh, which is called on docker run, looks like this:

#!/bin/sh
duplicity \
         --verbosity 8 \
         --s3-use-ia \
         --s3-use-new-style  \
         --s3-use-server-side-encryption \
         --s3-european-buckets \
         --allow-source-mismatch \
         --ssl-no-check-certificate \
         --s3-unencrypted-connection \
         --volsize 150 \
         --gpg-options "--no-tty" \
         --encrypt-key $ENCRYPT_KEY \
         --sign-key $ENCRYPT_KEY \
        $SOURCE_PATH \
        $REMOTE_URL

I tried with -i, -it, -t and just -d - but the result is always the same:

===== Begin GnuPG log =====
gpg: using "<supersecret>" as default secret key for signing
gpg: signing failed: Not a tty
gpg: [stdin]: sign+encrypt failed: Not a tty
===== End GnuPG log =====

GPG error detail: Traceback (most recent call last):
  File "/usr/bin/duplicity", line 1532, in <module>
    with_tempdir(main)
  File "/usr/bin/duplicity", line 1526, in with_tempdir
    fn()
  File "/usr/bin/duplicity", line 1380, in main
    do_backup(action)
  File "/usr/bin/duplicity", line 1508, in do_backup
    incremental_backup(sig_chain)
  File "/usr/bin/duplicity", line 662, in incremental_backup
    globals.backend)
  File "/usr/bin/duplicity", line 425, in write_multivol
    at_end = gpg.GPGWriteFile(tarblock_iter, tdp.name, globals.gpg_profile, globals.volsize)
  File "/usr/lib/python2.7/site-packages/duplicity/gpg.py", line 356, in GPGWriteFile
    file.close()
  File "/usr/lib/python2.7/site-packages/duplicity/gpg.py", line 241, in close
    self.gpg_failed()
  File "/usr/lib/python2.7/site-packages/duplicity/gpg.py", line 226, in gpg_failed
    raise GPGError(msg)
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: using "<supersecret>" as default secret key for signing
gpg: signing failed: Not a tty
gpg: [stdin]: sign+encrypt failed: Not a tty
===== End GnuPG log =====

This Not a tty error while gpg tries to sign is weird.

It didn't seem to be a problem before, or I did some crazy typing on a late night shift that it worked once, but now it just doesn't want to work anymore.


Solution

  • For anyone who struggles from the same problem, I found the answer thanks to the developr of duply https://sourceforge.net/p/ftplicity/bugs/76/#74c5

    In short, you need to add GPG_OPTS='--pinentry-mode loopback' starting with gpg 2.1 and add allow-loopback-pinentry to .gnupg/gpg-agent.conf

    This brought me much closer to a working setup.