I have several Nitrokey HSM 2 devices.
They get used to sign software in a docker container.
The usb port gets forwarded into the docker container which starts pcscd and connectivity works (for the most part).
From time to time the connection to the HSM appears to die somehow inside the container. Restarting the container helps sometimes. Sometimes replugging the USB token or restarting the host is required.
Did someone else notice this?
I tested this with opensc 0.19 and 0.23. On Arch and on Ubuntu 20.04. On a laptop, a desktop and a server blade. The issue appears not to depend on the hardware.
There are only about 10-20 signatures done in close succession per run. The issue appears less often, if I add sleeps inbetween.
The product is very nice and using it is easy compared to alternatives. But this really annoys me and lead to issues with customers.
The symptoms are that no connection to the Nitrokey can be established if a “disconnect” event occurs.
Any help is appreciated. If I can provide some kind of help or should perform some kind of tests, let me know. Not sure which logs to show here.
We don’t use docker and I have never seen this. You might blame docker for that probably
My setup is an USB-sharing device available over the network and it presents itself as a virtual USB controller on the host. Anticipating problems with that we decided not to use containers - there was also no real reason for it, given clean deployment.
Do you know for sure they work on the host running the containers? Also are you sure that some device does not get assigned to multiple containers simultaneously by chance?
One possible solution could be to run pcscd on the host and forward access to the HSMs using p11-kit forwarding feature at a much higher level of PKCS#11, maybe it is an alternative to consider that could be used safely within the container.
Do you know for sure they work on the host running the containers? Also are you sure that some device does not get assigned to multiple containers simultaneously by chance?
The whole setup is done with pcscd in container. Unrelated tests with simple signatures on the host never failed. There is only 1 container running in my test and in regular builds.
One possible solution could be to run pcscd on the host and forward access to the HSMs using p11-kit forwarding feature at a much higher level of PKCS#11, maybe it is an alternative to consider that could be used safely within the container.
This will be my next goto test if the issues get out of hand. Thanks.
