Feature #13134

[crunch-run] Support for secret_mounts

Added by Peter Amstutz almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
03/12/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

See Container secret mounts.

  • New field called "secret_mounts" which can container "json" or "text" type mounts. These are processed the same way as normal mounts.
  • Add support for "text" type mounts which are literal text which is written to file during setup (similar to "json" type, but unstructured.)
  • Ensure that contents of "secret_mounts" isn't logged (eg container.json)
  • Ensure that contents of "secret_mounts" isn't captured in output collection

Note: for completeness, we should also have "secret_environment" and "secret_command" that are merged with the public environment and public command line respectively.


Subtasks

Task #13152: Review 13134-secret-mountsResolvedPeter Amstutz

Task #13153: Support in crunch-runResolvedPeter Amstutz


Related issues

Related to Arvados - Story #13112: Provide a mechanism to store "secrets" securelyDuplicate

Associated revisions

Revision 80081626
Added by Peter Amstutz over 1 year ago

Merge branch '13134-secret-mounts' closes #13134

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <>

History

#1 Updated by Peter Amstutz almost 2 years ago

  • Status changed from New to In Progress

#2 Updated by Peter Amstutz almost 2 years ago

  • Subject changed from [crunch-run] Support for secrets to [crunch-run] Support for secret_mounts
  • Description updated (diff)

#3 Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)

#4 Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)

#5 Updated by Peter Amstutz almost 2 years ago

  • Description updated (diff)

#6 Updated by Tom Clegg almost 2 years ago

  • Related to Story #13112: Provide a mechanism to store "secrets" securely added

#7 Updated by Tom Clegg almost 2 years ago

  • Description updated (diff)

#8 Updated by Tom Morris almost 2 years ago

  • Target version changed from Arvados Future Sprints to 2018-03-28 Sprint

#9 Updated by Tom Morris almost 2 years ago

  • Assigned To set to Tom Clegg

#10 Updated by Tom Morris almost 2 years ago

  • Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint

#11 Updated by Tom Clegg almost 2 years ago

  • Status changed from In Progress to New
  • Target version changed from 2018-03-14 Sprint to 2018-03-28 Sprint

#12 Updated by Tom Morris almost 2 years ago

  • Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint

#13 Updated by Tom Morris almost 2 years ago

  • Assigned To changed from Tom Clegg to Peter Amstutz

#14 Updated by Lucas Di Pentima over 1 year ago

Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1

What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on crunchrun.go will prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.

#15 Updated by Peter Amstutz over 1 year ago

Lucas Di Pentima wrote:

Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1

What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on crunchrun.go will prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.

The API server is supposed to check for this case and reject it. I suppose crunch-run could also detect that and report and error instead of having some slightly weird undefined behavior.

#16 Updated by Peter Amstutz over 1 year ago

Added check for duplicate mounts. Now 13134-secret-mounts @ d6433abcf8b95012fee8a18a82edc88921d7544e

#18 Updated by Lucas Di Pentima over 1 year ago

This LGTM, thanks.

#19 Updated by Peter Amstutz over 1 year ago

  • Status changed from New to Resolved

#20 Updated by Tom Morris over 1 year ago

  • Release set to 17

Also available in: Atom PDF