I am attempting to use a yubikey from a docker container as a non-root user. I started by getting this working in the base OS and I get this output from ykman info:
$ ykman info
Device type: YubiKey 5 NFC
Serial number: <redacted>
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Enabled
OTP Enabled Enabled
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Enabled Enabled
OpenPGP Enabled Enabled
PIV Enabled Enabled
Through trial and error I have gotten to this dockerfile:
FROM ubuntu
USER root
RUN apt update && apt install -y yubikey-manager && rm -rf /var/lib/apt/lists/*
RUN groupadd -r -g 1000 yubikey && useradd --system --create-home --no-log-init -u 1000 -g 1000 yubikey
RUN mkdir /var/run/pcscd && chown yubikey:yubikey /var/run/pcscd
COPY --chown=root:root --chmod=755 entrypoint.sh /usr/local/bin/entrypoint.sh
USER yubikey
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ykman info
The entrypoint file is this:
#!/bin/bash
set -e
set -o pipefail
echo "starting pcscd in backgroud"
pcscd --debug --apdu
pcscd --hotplug
"$@"
Now this works when I run the container as root:
$ docker run -it --rm -u 0 --device /dev/usb:/dev/usb --device /dev/bus/usb:/dev/bus/usb yubikey
starting pcscd in backgroud
Device type: YubiKey 5 NFC
Serial number: <redacted>
Firmware version: 5.4.3
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.
Applications USB NFC
FIDO2 Enabled Enabled
OTP Enabled Enabled
FIDO U2F Enabled Enabled
OATH Enabled Enabled
YubiHSM Auth Enabled Enabled
OpenPGP Enabled Enabled
PIV Enabled Enabled
But when I run it as non-root, I get this:
$ docker run -it --rm --device /dev/usb:/dev/usb --device /dev/bus/usb:/dev/bus/usb yubikey
starting pcscd in backgroud
Error: No YubiKey detected!
I collected some logs for pcscd and it appears it is failing to interact with the device, here is an excerpt from that output:
00000028 [140492827881984] hotplug_libudev.c:441:HPAddDevice() Adding USB device: Yubico YubiKey OTP+FIDO+CCID
00000249 [140492827881984] readerfactory.c:1097:RFInitializeReader() Attempting startup of Yubico YubiKey OTP+FIDO+CCID 00 00 using /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
00005540 [140492827881984] readerfactory.c:972:RFBindFunctions() Loading IFD Handler 3.0
00000234 [140492827881984] ifdhandler.c:2071:init_driver() Driver version: 1.5.0
00002355 [140492827881984] ifdhandler.c:2088:init_driver() LogLevel: 0x0003
00000022 [140492827881984] ifdhandler.c:2099:init_driver() DriverOptions: 0x0000
00000510 [140492827881984] ifdhandler.c:2112:init_driver() LogLevel from LIBCCID_ifdLogLevel: 0x000F
00000014 [140492827881984] ifdhandler.c:110:CreateChannelByNameOrChannel() Lun: 0, device: usb:1050/0407:libudev:0:/dev/bus/usb/001/014
00000130 [140492827881984] ccid_usb.c:252:OpenUSBByName() Reader index: 0, Device: usb:1050/0407:libudev:0:/dev/bus/usb/001/014
00000073 [140492827881984] ccid_usb.c:284:OpenUSBByName() interface_number: 0
00000014 [140492827881984] ccid_usb.c:285:OpenUSBByName() usb bus/device: 1/14
00000010 [140492827881984] ccid_usb.c:317:OpenUSBByName() Using: /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
00002229 [140492827881984] ccid_usb.c:335:OpenUSBByName() ifdManufacturerString: Ludovic Rousseau ([email protected])
00000020 [140492827881984] ccid_usb.c:336:OpenUSBByName() ifdProductString: Generic CCID driver
00000012 [140492827881984] ccid_usb.c:337:OpenUSBByName() Copyright: This driver is protected by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version.
00025394 [140492827881984] ccid_usb.c:421:OpenUSBByName() Try device: 1/14
00000096 [140492827881984] ccid_usb.c:431:OpenUSBByName() vid/pid : 1050/0407
00000016 [140492827881984] ccid_usb.c:502:OpenUSBByName() Checking device: 1/14
00000010 [140492827881984] ccid_usb.c:573:OpenUSBByName() Trying to open USB bus/device: 1/14
00000094 [140492827881984] ccid_usb.c:579:OpenUSBByName() Can't libusb_open(1/14): LIBUSB_ERROR_ACCESS
00000533 [140492827881984] ccid_usb.c:204:close_libusb_if_needed() libusb_exit
Any ideas on what I need to do to allow me to access this yubikey from Docker as a non-root user?