Project

General

Profile

Actions

Feature #13134

closed

[crunch-run] Support for secret_mounts

Added by Peter Amstutz over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Description

See Container secret mounts.

  • New field called "secret_mounts" which can container "json" or "text" type mounts. These are processed the same way as normal mounts.
  • Add support for "text" type mounts which are literal text which is written to file during setup (similar to "json" type, but unstructured.)
  • Ensure that contents of "secret_mounts" isn't logged (eg container.json)
  • Ensure that contents of "secret_mounts" isn't captured in output collection

Note: for completeness, we should also have "secret_environment" and "secret_command" that are merged with the public environment and public command line respectively.


Subtasks 2 (0 open2 closed)

Task #13152: Review 13134-secret-mountsResolvedPeter Amstutz03/12/2018Actions
Task #13153: Support in crunch-runResolvedPeter Amstutz03/12/2018Actions

Related issues

Related to Arvados - Idea #13112: Provide a mechanism to store "secrets" securelyDuplicateActions
Actions #1

Updated by Peter Amstutz over 6 years ago

  • Status changed from New to In Progress
Actions #2

Updated by Peter Amstutz over 6 years ago

  • Subject changed from [crunch-run] Support for secrets to [crunch-run] Support for secret_mounts
  • Description updated (diff)
Actions #3

Updated by Peter Amstutz over 6 years ago

  • Description updated (diff)
Actions #4

Updated by Peter Amstutz over 6 years ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz over 6 years ago

  • Description updated (diff)
Actions #6

Updated by Tom Clegg over 6 years ago

  • Related to Idea #13112: Provide a mechanism to store "secrets" securely added
Actions #7

Updated by Tom Clegg over 6 years ago

  • Description updated (diff)
Actions #8

Updated by Tom Morris over 6 years ago

  • Target version changed from Arvados Future Sprints to 2018-03-28 Sprint
Actions #9

Updated by Tom Morris over 6 years ago

  • Assigned To set to Tom Clegg
Actions #10

Updated by Tom Morris over 6 years ago

  • Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint
Actions #11

Updated by Tom Clegg over 6 years ago

  • Status changed from In Progress to New
  • Target version changed from 2018-03-14 Sprint to 2018-03-28 Sprint
Actions #12

Updated by Tom Morris over 6 years ago

  • Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint
Actions #13

Updated by Tom Morris over 6 years ago

  • Assigned To changed from Tom Clegg to Peter Amstutz
Actions #14

Updated by Lucas Di Pentima over 6 years ago

Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1

What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on crunchrun.go will prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.

Actions #15

Updated by Peter Amstutz over 6 years ago

Lucas Di Pentima wrote:

Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1

What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on crunchrun.go will prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.

The API server is supposed to check for this case and reject it. I suppose crunch-run could also detect that and report and error instead of having some slightly weird undefined behavior.

Actions #16

Updated by Peter Amstutz over 6 years ago

Added check for duplicate mounts. Now 13134-secret-mounts @ d6433abcf8b95012fee8a18a82edc88921d7544e

Actions #18

Updated by Lucas Di Pentima over 6 years ago

This LGTM, thanks.

Actions #19

Updated by Peter Amstutz over 6 years ago

  • Status changed from New to Resolved
Actions #20

Updated by Tom Morris about 6 years ago

  • Release set to 17
Actions

Also available in: Atom PDF