Please consider adding support for setting the mode for secrets

Question

Please consider adding support for setting the mode for secrets

zoredache opened this issue 6 years ago · 7 comments

I want to run job, that will use do a git pull via ssh. I pass in the ssh private key via a secret ssh fails, since the permissions are 0444. Other software things that use secrets might check the permissions.

jaas run  --verbose \
          --image myimage \
          --secret 20190309_ed25519 \
          --command "/srv/myjob.sh"

...6427Z @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
...7126Z @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
...3926Z @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
...9526Z Permissions 0444 for '/run/secrets/20190309_ed25519' are too open.
...4826Z It is required that your private key files are NOT accessible by others.
...0226Z This private key will be ignored.

alexellis commented 5 years ago

..

Answer 1 · 2019-07-18T09:18:29.000Z

Does Swarm support that? If so, please propose how you'd like to see that change implemented.

Answer 2 · 2019-07-18T17:11:33.000Z

Yes, swarm supports that. The docker service create --secret has a short and long form options.

https://docs.docker.com/engine/reference/commandline/service_create/#create-a-service-with-secrets

docker service create 
    --secret source=app-key,target=app,uid=1000,gid=1001,mode=0400 \

In the [PR that added](- #30 (comment)
) secrets last year it was even discussed. But apparently it was decided to go with the default UID/GID/Mode with no option to configure instead of just having some defaults, and only setting them if the user provided additional values from the command line.

Anyway, I am just wishing I could pass values for the UID/GID/Mode that seem to be set here.

https://github.com/alexellis/jaas/blob/master/cmd/run.go#L192

I am sorry I can't provide you a PR, but I don't know go, and am low on time at the moment to work on learning it.

Answer 3 · 2019-07-18T18:36:35.000Z

If I spent my time building this feature for you, could you and would you use it?

Answer 4 · 2019-12-11T02:31:09.000Z

Just FYI
This would actually have helped me when implementing a backup script using BorgBackup.
I worked around this restriction by copying the secret file in the container, which may be not so good for security reason.

Answer 5 · 2019-12-11T10:34:33.000Z

@TakafumiKoyama thanks for sharing your use-case.

A better workaround would be to chmod in the container before using it perhaps?

Contributions are welcome, if you have a commercial use for this, feel free to hire me to build the feature. sales@openfaas.com

Answer 6 · 2019-12-11T14:41:55.000Z

@alexellis thanks for offering.
We have paused that backup project for now, I'll consider the options once it resumes.

As for the workaround, chmod did not work because the secret is mounted as read-only filesystem.

$ echo abc | docker secret create foo -
2x6daavnaq3pomtpty4ebxsu6

$ jaas run --remove --image ubuntu --secret foo --command "chmod 0400 /run/secrets/foo"
Service created: hungry_tereshkova (uacc10sozpvbd61c1ywyq81r2)
ID:  uacc10sozpvbd61c1ywyq81r2  Update at:  2019-12-11 14:24:58.406516025 +0000 UTC
..........

Exit code: 1
State: failed


Printing service logs
h2019-12-11T14:25:03.183427890Z chmod: changing permissions of '/run/secrets/foo': Read-only file system

Removing service...