Configuration files for services #32336
Conversation
|
I would rather see secrets implemented as a
Unless I run this ?
Do you know where I can learn more about this design choice? |
|
@dnephin there are a lot of things packed in there. Ultimately we want to make sure people deal with sensitive data in a different way than they deal with configs.
I agree that a lot of these reasons are nuanced, but we feel like separating them is the right way to move forward. |
container/container_unix.go
Outdated
| @@ -168,6 +169,21 @@ func (container *Container) SecretMountPath() string { | |||
| return filepath.Join(container.Root, "secrets") | |||
| } | |||
|
|
|||
| // ConfigsDirPath returns the path to the directory where configs are stored on | |||
| // disk. | |||
| func (container *Container) ConfigsDirPath() string { | |||
There was a problem hiding this comment.
Wouldn't this be /configs/?
There was a problem hiding this comment.
This is where they are stored on the host filesystem, for mounting into the container.
container/container_unix.go
Outdated
| } | ||
|
|
||
| // ConfigFilePath returns the path to the on-disk location of a config. | ||
| func (container *Container) ConfigFilePath(configRefTarget *swarmtypes.ConfigReferenceFileTarget) (string, error) { |
There was a problem hiding this comment.
Weren't configs supposed to be mountable anywhere?
There was a problem hiding this comment.
This is referring to the path on the host. It gets bind-mounted at the target path inside the container.
|
moby/swarmkit#2036 was merged upstream. Updated to incorporate proper swarmkit vendor. No longer marked WIP. |
Sure it is, we've just made it slightly inconvenient. |
|
@dnephin I think you would agree those are separate concerns. Not allowing accidental secret retrieval by using the API (specially on the list secrets endpoint, which would return all secrets in plaintext), is not the same thing as a user intentionally deploying services with legitimate secret access to exfiltrate them. |
|
I've rebased and marked configs as an experimental feature. The API endpoints, CLI subcommand, flags for |
Sorry, separate from what? I was responding to this statement "secret data is never returned to the user after set", which I believe I've demonstrated to be incorrect. We do allow secret data to be returned, we've just made it (afaik unnecessarily) inconvenient.
Why would the list endpoint returns secret text? Most list endpoints do not return full data. They only return "summary data". I don't think the "list secret" endpoint needs to change. It would be equally appropriate for a "list configs" endpoint as it is now.
I agree, but how accidental is This was just a response to "Also it allows us to have different experiences to deal with sensitive data", which is what I'm challenging. I think for many users the distinction between a config and a secret is not clear. Many popular web frameworks expect credentials to be read from their config file. If users have passwords in their config files they should be using secrets, but they may also want to template that same config file. So I think it's quite possible that users will want to template secrets as well.
Even if this was a common case, it does not require two separate API endpoints or cmd-line arguments. Users are free to implement whatever process makes sense to them.
So far I don't see an argument for this:
|
|
Another issue that came up during the maintainers PR review session (that I guess wasn't mentioned here yet) is that Couldn't we just use |
|
|
Added config CLI unit tests inspired by #32289. |
|
Having these as experimental I think makes sense. It gives us time to let people test the feature before 17.06-stable and potentially pull it if it's not quite right. One suggestion made by @thaJeztah I think was |
No, you demonstrated that you can deploy an app that can exfiltrate secrets that have been handed to it, you didn't demonstrate the API allows you to leak secrets. That is what I mean by separate concerns. If you really want to protect your swarm from maliciously deployed containers, you'll have to deploy an AuthZ plugin that only runs signed code and segment the concerns.
Minimizing the ways secrets can get leaked from your swarm is a worth goal.
This is why we would like to template configs, so you can include secrets in them without having to handle configs themselves as sensitive.
You're absolutely entitled to have your opinion; ours (secrets team) has been that production setups always have distinct treatment/confidentiality/apis/control around what they deem to be secret data, and therefore, we should keep them separate. |
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
|
Rebased |
|
LGTM |
|
Janky failure (TestSwarmClusterRotateUnlockKey) is unrelated and this PR has gone through multiple rebases and I think it is time to put it out of its misery and merge the PR :) |
|
@aaronlehmann 🎉 🎉 |
This adds bash completion for - docker#45 - moby/moby#32336 Signed-off-by: Harald Albers <github@albersweb.de>
This adds bash completion for - docker#45 - moby/moby#32336 Signed-off-by: Harald Albers <github@albersweb.de>
This adds bash completion for - docker/cli#45 - moby/moby#32336 Signed-off-by: Harald Albers <github@albersweb.de> (cherry picked from commit c40952b3058db3c6e44bca8c518d888b83878ce5) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds bash completion for - docker#45 - moby/moby#32336 Signed-off-by: Harald Albers <github@albersweb.de>
This adds bash completion for - docker#45 - moby/moby#32336 Signed-off-by: Harald Albers <github@albersweb.de>
This adds bash completion for - docker/cli#45 - moby/moby#32336 Signed-off-by: Harald Albers <github@albersweb.de> (cherry picked from commit c40952b3058db3c6e44bca8c518d888b83878ce5) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds bash completion for - docker/cli#45 - moby/moby#32336 Signed-off-by: Harald Albers <github@albersweb.de> (cherry picked from commit c40952b) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Replicate relevant mutations to the in-memory ACID store. Readers will then be able to query container state without locking. Signed-off-by: Fabio Kung <fabio.kung@gmail.com> (cherry picked from commit eed4c7b) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Conflicts: - daemon/daemon.go: missing moby#33241 - container/container_unix.go: missing moby#32336 - container/container_windows.go, daemon/container_operations.go: minor conflicts Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This adds a
docker configsubcommand and related APIs that allows "config" objects to be attached to services. Config files can be mounted inside services' containers, avoiding the need to bake configuration into images.Configuration files are similar to secrets, and in fact the CLI and API show few differences between the two. The principal differences so far are:
/run/secretsdirectory inside the container, as a design choice. Config files can be mounted anywhere.We are expecting to introduce some additional features for configs in the future that may cause the feature to diverge further from secrets. Although secrets and configs are very similar right now, we decided that creating a parallel API and subcommand was better than overloading secrets for use by things that do not have the same confidentiality requirements.
I suspect one thing that will come up in the review process is duplication of code between secrets and configs. This is definitely an issue, and I would have liked to reduce the level of duplication. However, with separate APIs and CLI subcommands, a certain amount of code duplication is unavoidable. Since the APIs use different types, and Go doesn't support generics, it's difficult to reuse code between the two implementations. Also, I didn't want to prematurely refactor things, since it's very possible that configs and secrets will diverge more soon (perhaps even during the review process). But if there are any suggestions for easy wins on reducing duplicated code, they are certainly welcome.
This feature is wanted for 17.05.
Marked WIP because this depends on moby/swarmkit#2036 (which should be merged shortly).
ping @dhiltgen @dnephin @aluzzardi @diogomonica