Actions
Container secret mounts » History » Revision 8
« Previous |
Revision 8/11
(diff)
| Next »
Tom Clegg, 03/01/2018 07:28 PM
Container secret mounts¶
This is a proposed modification to Containers API.
Add a "secret_mounts" serialized field to containers and container requests.
"secret_mounts" has the same form and behavior as "mounts", except:- Only literal content is allowed (kind=text or kind=json)
- Current value is never returned in a container request or container API response
- Current value can be retrieved from a new API (
/arvados/v1/containers/$uuid/secret_mounts
) which must be authenticated by the container's own runtime token - Never appears in container logs
- Never appears in the Arvados logs table
- Never appears in websocket updates
- Never appears in API server request logs
If a secret_mount target is below output_path in the filesystem, it is omitted from the output collection (but this is not an error).
For clarity, some ways in which secret_mounts behaves like mounts are:- Non-identical secret_mounts disqualifies a container for reuse. The mere existence of secret_mounts does not disqualify.
- secret_mounts can be set via container_requests#create and container_requests#update APIs
- secret_mounts cannot be null, but can be an empty hash
- keys of secret_mounts are paths in the container's filesystem, and always begin with "/"
"secret_mounts" api response:
{
"secret_mounts": {
"foo": "bar"
},
"_response_time_or_other_api_metadata": "..."
}
There is no support for secret environment variables or command line arguments.
Documentation note: Anyone who can modify a container request can access its secrets by changing the command, docker image, etc., and committing it. So be careful.
Updated by Tom Clegg almost 7 years ago · 11 revisions