Container secret mounts » History » Revision 9
Revision 8 (Tom Clegg, 03/01/2018 07:28 PM) → Revision 9/11 (Tom Clegg, 03/06/2018 04:10 PM)
h1. Container secret mounts This is a proposed modification to [[Containers API]]. Add a "secret_mounts" serialized field to containers and container requests. "secret_mounts" has the same form and behavior as "mounts", except: * Only literal content is allowed (kind=text or kind=json) * Current value is never returned in a container request or container API response * Current value can be retrieved from a new API (@/arvados/v1/containers/$uuid/secret_mounts@) which must be authenticated by the container's own runtime token * Never appears in container logs * Never appears in the Arvados logs table * Never appears in websocket updates * Never appears in API server request logs If a secret_mount target is below output_path in the filesystem, it is omitted from the output collection (but this is not an error). For clarity, some ways in which secret_mounts behaves like mounts are: * Non-identical secret_mounts disqualifies a container for reuse. The mere existence of secret_mounts does not disqualify. * secret_mounts can be set via container_requests#create and container_requests#update APIs * secret_mounts cannot be null, but can be an empty hash * keys of secret_mounts are paths in the container's filesystem, and always begin with "/" "secret_mounts" api response: <pre><code class="json"> { "secret_mounts": { "/secrets/foo": { "kind": "text", "content": "foobar\n" } "foo": "bar" }, "_response_time_or_other_api_metadata": "..." } </code></pre> There is no support for secret environment variables or command line arguments. Documentation note: Anyone who can modify a container request can access its secrets by changing the command, docker image, etc., and committing it. So be careful.