Project

General

Profile

Container secret mounts » History » Revision 10

Revision 9 (Tom Clegg, 03/06/2018 04:10 PM) → Revision 10/11 (Tom Clegg, 03/13/2018 01:34 PM)

h1. Container secret mounts 

 This is a proposed modification to [[Containers API]]. 

 Add a "secret_mounts" serialized field to containers and container requests. 

 "secret_mounts" has the same form and behavior as "mounts", except: 
 * Only literal content is allowed (kind=text or kind=json) 
 * Current value is never returned in a container request or container API response 
 * Current value can be retrieved from a new API (@/arvados/v1/containers/$uuid/secret_mounts@) which must be authenticated by the container's own runtime token 
 * Never appears in container logs 
 * Never appears in the Arvados logs table 
 * Never appears in websocket updates 
 * Never appears in API server request logs 

 If a secret_mount target is below output_path in the filesystem, it is omitted from the output collection (but this is not an error). 

 It is an error to use the same mount target in a container request's @mounts@ and @secret_mounts@. 

 For clarity, some ways in which secret_mounts behaves like mounts are: 
 * Non-identical secret_mounts disqualifies a container for reuse. The mere existence of secret_mounts does not disqualify. 
 * secret_mounts can be set via container_requests#create and container_requests#update APIs 
 * secret_mounts cannot be null, but can be an empty hash 
 * keys of secret_mounts are paths in the container's filesystem, and always begin with "/" 

 "secret_mounts" api response: 

 <pre><code class="json"> 
 { 
   "secret_mounts": { 
     "/secrets/foo": { 
       "kind": "text", 
       "content": "foobar\n" 
     } 
   }, 
   "_response_time_or_other_api_metadata": "..." 
 } 
 </code></pre> 

 There is no support for secret environment variables or command line arguments. 

 Documentation note: Anyone who can modify a container request can access its secrets by changing the command, docker image, etc., and committing it. So be careful.