gitdockergnome-keyring-daemon

gnome-keyring and libsecret for Git credentials on a headless Ubuntu in a Docker container

TL;DR

We are using the Git extension for JupyterLab. We want to use gnome-keyring to cache our GitHub credentials. Following the documentation (and this and this), we run

apt update && apt install -y \
build-essential \
gnome-keyring \
libglib2.0-dev \
libsecret-1-0 \
libsecret-1-dev

but /usr/share/doc/git/contrib/credential/libsecret is empty, so make has nothing to do. We don't seem to be the only ones with this issue: see this and this. Why is the directory not being populated?

Details

Here is our (stripped down) Dockerfile:

FROM jupyter/minimal-notebook:hub-4.0.2

USER 1000
COPY start_up.sh /tmp/

USER root
RUN chmod +x /tmp/start_up.sh
RUN apt update && apt install -y \
  build-essential \
  gnome-keyring \
  libglib2.0-dev \
  libsecret-1-0 \
  libsecret-1-dev

USER 1000

# other stuff

start_script.sh looks like this:

#!/bin/bash -l

dbus-run-session -- sh -c 'echo "foo" | gnome-keyring-daemon --unlock && exec jupyterhub-singleuser "$@"'

(We don't actually use foo, but rather an external secret via an environment variable. That's not relevant here though?) This script is run by k8s when a container is deployed; here is the relevant part of the values.yaml file:

singleuser:
  cmd: /tmp/start_up.sh
  nodeSelector: 
     "lifecycle" : "jupyterhub"

The idea is to start the jupyterhub-singleuser in a D-Bus shell so that the keyring backend works: see this and this.

Solution

  • It was explained to me: Ubuntu containers are "minimized". See https://askubuntu.com/q/1173337

    Default Ubuntu containers can be easily unminimized but I have problems running unminimize in jupyter/minimal-notebook:hub-4.0.2 — 1st, it unminimizes too much and 2nd, it fails after some time. So I decided to use 2 containers — start with unminimized Ubuntu, install git, and then copy /usr/share/doc/git/contrib/credential/libsecret/ to jupyter/minimal-notebook:hub-4.0.2. This works for me:

    FROM ubuntu:22.04 AS ubuntu-22.04

# See https://askubuntu.com/q/1173337
RUN yes | unminimize

RUN apt-get update && apt-get install -y git


FROM jupyter/minimal-notebook:hub-4.0.2

USER root

RUN apt-get update && apt-get install -y \
  build-essential \
  git \
  gnome-keyring \
  libglib2.0-dev \
  libsecret-1-0 \
  libsecret-1-dev

COPY --from=ubuntu-22.04 \
  /usr/share/doc/git/contrib/credential/libsecret \
  /usr/share/doc/git/contrib/credential/libsecret