Skip to content

Fallback to kernel keyring when Linux Secret Service is unavailable#637

Open
bharris-devoted wants to merge 1 commit into
DataDog:mainfrom
bharris-devoted:feat/keychain-fallback-dbus-serviceunknown
Open

Fallback to kernel keyring when Linux Secret Service is unavailable#637
bharris-devoted wants to merge 1 commit into
DataDog:mainfrom
bharris-devoted:feat/keychain-fallback-dbus-serviceunknown

Conversation

@bharris-devoted

Copy link
Copy Markdown
Contributor

What

On Linux, when the DBus Secret Service (org.freedesktop.secrets) is not available, pup now falls back to the kernel keyring (keyutils) before resorting to file storage.

Fallback chain: Secret Service → kernel keyring → file storage

Why

On headless Linux environments (containers, SSH sessions without a desktop, CI runners), the Secret Service daemon is typically absent. Previously this caused a hard error during auth login:

Error: Platform secure storage failure: zbus error: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.secrets was not provided by any .service files

#627 mistakenly assumed that keychain.rs would gracefully fallback. It does not andf the latest pup auth does not work on Linux systems with no DBus service available.

Changes

  • KeychainStorage::new() now performs a read probe on Linux (not just entry construction) to detect Secret Service unavailability early
  • detect_backend_with() on Linux: when the first probe fails, switches the keyring credential builder to keyutils and retries before falling through to file storage
  • Extracted linux_keychain_probe_result() helper for testability
  • Added unit tests for:
    • NoEntry treated as healthy probe
    • PlatformFailure (ServiceUnknown) treated as unavailable
    • Full fallback chain: Secret Service failure → keyutils success
    • Full fallback chain: both fail → file storage

Testing

  • cargo check passes
  • Runtime validated: DBUS_SESSION_BUS_ADDRESS=unix:path=/missing pup auth status now prints warning and falls back to kernel keyring
  • Normal path (DBus available) unchanged — no warnings, uses Secret Service

@bharris-devoted bharris-devoted requested a review from a team as a code owner July 7, 2026 14:14
jack-edmonds-dd
jack-edmonds-dd previously approved these changes Jul 7, 2026
@datadog-prod-us1-3

This comment has been minimized.

On Linux, when the DBus Secret Service (org.freedesktop.secrets) is not
available, fall back to the kernel keyring (keyutils) before resorting to
file storage. This gives headless/container environments secure in-memory
credential storage without requiring a running secret service daemon.

Fallback chain: Secret Service → kernel keyring → file storage
@bharris-devoted bharris-devoted force-pushed the feat/keychain-fallback-dbus-serviceunknown branch from 2f132de to 0cc3660 Compare July 8, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants