IPFS key rotate is tricky in docker environment

[markg85]

Hi,

I'm now running ipfs 0.7.0 in a docker container to not be reliant on my distribution with regards to updates.
IPFS itself works really well in docker these days, hats of to all the awesome improvements in 0.7.0!

Next i wanted to rotate my key to the shiny new ed25519!
So i typed:
docker exec ipfs_host ipfs key rotate -o self -t ed25519

This gave the following error:

Error: ipfs daemon is running. please stop it to run this command
Use 'ipfs key rotate --help' for information about this command

What it asks there, execute a command without running ipfs, is really not easy to do in docker!
Yes, i can do it. Just starting a new container with a different entrypoint and making it interactive will give me a container where i can jump in do as the command asks.

This isn't very user friendly and requires a bit of hassle to get working.
It might be better for IPFS to "remember" that i want to execute that command and that IPFS runs it on it's own when IPFS restarts.
The error then should tell me something like: "Restart IPFS to apply these changes" or something alike. That would make it perfectly usable in docker environments.

Cheers,
Mark

[lidel]

Official docker images from https://hub.docker.com/r/ipfs/go-ipfs/tags/ supports passing arbitrary ipfs * subcomands, so you don't need to docker exec, you can stop the container and then do rotation in ephemeral container that is temporarily executing against volume that is mounted under /data/ipfs:

# given container named 'ipfs-test' persists repo at /path/to/persisted/.ipfs
$ docker run -d --name ipfs-test -v /path/to/persisted/.ipfs:/data/ipfs ipfs/go-ipfs:v0.7.0 
$ docker stop ipfs-test  

# key rotation works like this (old key saved under 'old-self')
$ docker run --rm -it -v /path/to/persisted/.ipfs:/data/ipfs ipfs/go-ipfs:v0.7.0 key rotate -o old-self -t ed25519
$ docker start ipfs-test # will start with new key

Hope this helps.

I'm closing this, as we discussed this during weekly triage, and introducing additional complexity to the codebase to support "pending config updates" is not worth it if the above viable solution exists.

[markg85]

Well, that works indeed.
But it's cumbersome as you'd need to get the arguments right.

A "pending config updates" is more user friendly ;)