Credential Manager doesn't work in Windows Containers with BusyBox MinGit #1498
Comments
|
The full installer configures git config --show-origin credential.helperI could imagine, though, that things would still fail with, say, multi-factor authorization, as I have no idea how the GitHub/Visual Studio Team Services/BitBucket/whatever helpers would behave if no graphical prompt was possible (IIRC most of them essentially show HTML pages): would they fall back to talking to the user via the console? Can they fall back that way? The common strategy in Docker containers is to provide the credentials in different ways than via credential helpers: either use SSH keys, or configure the HTTPS remotes with credentials included. In your example, if the password was (Of course, depending on your use case, you would want to ensure the password to be blotted out in whatever log your operations want to have.) |
|
As shown in the working example at the bottom the credential manager just uses console input if you disallow the modal dialogue. This form of input is broken (bash tty error) though in the busybox version. |
|
@dhirschfeld the The message Line 141 in ef6d451 This suggests, very strongly even, that your BusyBox example does not even try to call the Git Credential Manager. I suspected this. That is the entire reason I asked you to provide the information what I still would highly encourage you to actually work with me to resolve this. So far, I feel that half of what I said was simply ignored, and I doubt that this will lead to resolving the issue. If my suspicion is correct, and that |
|
Sorry @dscho - I sent my initial response from my phone on the way into work with the full intention of following up on your other points. Other priorities took precedence however and this fell off my radar. I am keen to get this resolved though so am looking into it now... Also, thanks for taking the time to look into my problem - it is much appreciated! :) |
|
It does indeed seem that the credential helper isn't set: If I set the |
|
Note: The comment below from here seems a bit ominous:
Happy to test anything else out in my Container environment if you have any suggestions... |
My usecase is probably a bit different than the usual - I'm trying to configure a JupyterLab interactive analytics environment which is deployed on Windows Containers. So in this case I want my users to be able to provide their own credentials using the (basic) credential manger:
I am aware that you can embed your username and password in the remote url but I'm trying to avoid having to do that if at all possible |
Thank you for apologizing. I know how this feels, some days (in fact, most of them!) feel like drowning in an ocean, just trying to survive.
That is a real bummer. Could you set D:\test-git\MinGit-2.16.1.3-BusyBox-64>set GIT_TRACE=1
D:\test-git\MinGit-2.16.1.3-BusyBox-64>cmd\git clone https://github.com/dscho/none
12:21:20.549203 git.c:344 trace: built-in: git 'clone' 'https://github.com/dscho/none'
Cloning into 'none'...
12:21:20.755657 run-command.c:627 trace: run_command: 'remote-https' 'origin' 'https://github.com/dscho/none'
12:21:20.854183 git.c:576 trace: exec: 'git-remote-https' 'origin' 'https://github.com/dscho/none'
12:21:20.855184 run-command.c:627 trace: run_command: 'git-remote-https' 'origin' 'https://github.com/dscho/none'
12:21:22.780909 run-command.c:627 trace: run_command: 'git credential-manager get'
12:21:23.023968 git.c:576 trace: exec: 'git-credential-manager' 'get'
12:21:23.024970 run-command.c:627 trace: run_command: 'git-credential-manager' 'get'Also, I wonder whether you see different behavior between running these commands in Jupyter as opposed to a CMD window? |
|
The output with The bash command is a pretty suspicious since bash (or WSL) isn't installed on the server. |
|
I get the same results if I try directly from powershell in the container rather than through the JupyterLab/xterm.js terminal: C:\> $env:USERNAME
ContainerAdministrator
C:\> git config --global credential.modalPrompt never
C:\> git config --global credential.helper manager
C:\> git config --show-origin credential.helper
file:C:/Users/ContainerAdministrator/.gitconfig manager
C:\> $env:GCM_INTERACTIVE='NEVER'
C:\> $env:GCM_PRESERVE_CREDS='TRUE'
C:\> $env:GIT_TRACE=1
C:\> $env:GCM_TRACE=1
C:\> git clone https://github.stanwell.com/Trading/skeleton.git
16:09:29.845751 git.c:344 trace: built-in: git 'clone' 'https://github.stanwell.com/Trading/skeleton.git'
Cloning into 'skeleton'...
16:09:29.892753 run-command.c:627 trace: run_command: 'remote-https' 'origin' 'https://github.stanwell.com/Trading/skeleton.git'
16:09:29.916748 git.c:576 trace: exec: 'git-remote-https' 'origin' 'https://github.stanwell.com/Trading/skeleton.git'
16:09:29.917748 run-command.c:627 trace: run_command: 'git-remote-https' 'origin' 'https://github.stanwell.com/Trading/skeleton.git'
16:09:30.120757 run-command.c:627 trace: run_command: 'git credential-manager get'
16:09:30.238414 git.c:576 trace: exec: 'git-credential-manager' 'get'
16:09:30.239413 run-command.c:627 trace: run_command: 'git-credential-manager' 'get'
16:09:30.550416 ...\Common.cs:527 trace: [Main] git-credential-manager (v1.14.0) 'get'
16:09:30.761424 ...\Where.cs:240 trace: [FindGitInstallations] found 0 Git installation(s).
16:09:31.085437 ...Configuration.cs:405 trace: [LoadGitConfiguration] git All config read, 4 entries.
16:09:31.094443 ...\Where.cs:240 trace: [FindGitInstallations] found 0 Git installation(s).
16:09:31.097441 ...Configuration.cs:405 trace: [LoadGitConfiguration] git All config read, 4 entries.
16:09:31.122437 ...\Common.cs:395 trace: [LoadOperationArguments] GCM_INTERACTIVE = 'NEVER'.
16:09:31.123442 ...\Common.cs:437 trace: [LoadOperationArguments] preserve = 'True'.
16:09:31.678467 ...\Common.cs:77 trace: [CreateAuthentication] detecting authority type for 'https://github.stanwell.com/'.
16:09:31.696466 ...uthentication.cs:137 trace: [GetAuthentication] not github.com, authentication creation aborted.
16:09:31.698469 ...\Common.cs:172 trace: [CreateAuthentication] authority for 'https://github.stanwell.com/' is basic with NTLM=Auto.
16:09:31.721468 ...\Common.cs:565 trace: [QueryCredentials] credentials for 'https://github.stanwell.com/' not found.
16:09:31.722493 ...\Common.cs:495 trace: [LogEvent] Failed to retrieve credentials for 'https://github.stanwell.com/'.
16:09:31.767463 ...\Program.cs:265 trace: [Get] Logon failed, use ctrl+c to cancel basic credential prompt.
Logon failed, use ctrl+c to cancel basic credential prompt.
16:09:31.806468 run-command.c:627 trace: run_command: 'bash' '-c' 'cat >/dev/tty && read -r line </dev/tty && echo "$line"'
16:09:31.810471 run-command.c:627 trace: run_command: 'C:\Miniconda3\Library\mingw64\bin\busybox.exe' '--help'
bash: Unhandled device /dev/tty
cat: write error: Bad file descriptor
error: failed to execute prompt script (exit code 1)
fatal: could not read Username for 'https://github.stanwell.com': No error
C:\> |
Yeah, it would have been great if it was as simple as setting the credential manager! 😄 I still hold out a glimmer of hope that something in the trace may jump out as an obvious/easy fix but it doesn't seem too likely 😞 |
Is this intentional? I would have expected this to tell the Git Credential Manager that it should not ask for the credentials... |
It is included in MinGit (although not in BusyBox-based MinGit). And Git for Windows does not yet have code to special-case the BusyBox case and try a different tack on accessing the terminal in that case. |
|
Using the same configuration does work (prompts for username & password) with the full/normal git installer but then you run into #1403 so it's a case of pick your poison.
I suspected that may be the case. I guess this issue can be left open as a reminder that it would be a useful feature to add to the BusyBox git. |
Hmm, okay. My mistake, sorry for that.
I'd rather fix the main problem first: ensure that the Win32 Console can be accessed by GCM even when it is called via BusyBox-based MinGit. Let me try to set up something (will take a while, that's why I tried to avoid that so far, also because I am not altogether sure that I can reproduce the issue). |
I can see the same issue you describe in a Powershell without Docker containers. Now, how do I debug this ;-) |
|
Oy vey, I have been chasing the wrong goose all the time! This is what I get with non-BusyBox-backed MinGit: Do you notice how it says FWIW I found another environment variable you definitely want to set in your scenario: |
|
Good news! In a joint debugging session with @whoisj, we determined the root cause in Git Credential Manager. @dhirschfeld are you willing to test an experimental build (which I should have ready either later today, but definitely before noon tomorrow UTC+0100)? Most likely I will also have a fix for the fallback code in Git at the same time. |
|
credential-helper-w-tty-fix.zip Okay, so this is the fixed Credential Manager. If you unpack this into your BusyBox-based MinGit's |
|
Thanks for getting to the bottom of this @dscho! ...despite my efforts to confuse the issue with docker and busybox! 😜 I'll certainly test that out on my setup. May not get to it today but if not, will test it over the weekend... |
I was instead using If there's an equivalent git config for those I'd probably use that instead but I don't know that there is? I'll look into that, but it's not a problem if I do have to specify env vars to get the behaviour I'm after... |
|
(This Git Credential Manager version was built from microsoft/Git-Credential-Manager-for-Windows#554.) |
I was surprised, too, that's why I studied the source code of Git Credential Manager and found |
That is likely because the only legal values are "true" or "false". 😏 |
Oh and for those wondering, this fix will be part of GCM v1.15.0 (releases sometime in March). Thanks @dscho for the help, and thanks to @dhirschfeld for the inspiration to root cause and resolve the issue. |
This fixes the issue identified in git-for-windows#1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
This fixes the issue identified in #1498 where Git would not fall back to reading credentials from a Win32 Console when the credentials could not be read from the terminal via the Bash hack (that is necessary to support running in a MinTTY). Tested in a Powershell window. Signed-off-by: Johannes Schindelin <[email protected]>
Running on a
windowsservercore:1709container:defaults?
I just unzipped the prebuilt release
to the issue you're seeing?
Running on a Windows Container
Details
Note: The credential manager works correctly with the full
.exeinstaller...however I'd like to user the BusyBox version as it fixes #1403/#1007 when running in a Windows Container.
What I'm hoping for is a git version which both allows cloning from a host-mapped volume and allows entering the username/password for the credential manager.
The text was updated successfully, but these errors were encountered: