Container secret mounts » History » Version 7

« Previous - Version 7/10 (diff) - Next » - Current version
Tom Clegg, 03/01/2018 07:15 PM


Container secret mounts

This is a proposed modification to Containers API.

Add a "secret_mounts" serialized field to containers and container requests.

"secret_mounts" has the same form and behavior as "mounts", except:
  • Only literal content is allowed (kind=text or kind=json)
  • Current value is never returned in a container request or container API response
  • Current value can be retrieved from a new API (/arvados/v1/containers/$uuid/secret_mounts) which must be authenticated by the container's own runtime token
  • Never appears in container logs
  • Never appears in the Arvados logs table
  • Never appears in websocket updates
  • Never appears in API server request logs

If a secret_mount target is below output_path in the filesystem, it is omitted from the output collection (but this is not an error).

For clarity, some ways in which secret_mounts behaves like mounts are:
  • Non-identical secret_mounts disqualifies a container for reuse. The mere existence of secret_mounts does not disqualify.
  • secret_mounts can be set via container_requests#create and container_requests#update APIs
  • secret_mounts cannot be null, but can be an empty hash
  • keys of secret_mounts are paths in the container's filesystem, and always begin with "/"

There is no support for secret environment variables or command line arguments.

"secret_mounts" api response:

{
  "secret_mounts": {
    "foo": "bar" 
  },
  "_response_time_or_other_api_metadata": "..." 
}