Use the FD provider to facilitate root:root ownership of the secrets file #1172
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marcparadise
approved these changes
Mar 23, 2017
We now depend on file handles being passed between processes, and it is nice to be able to test this in the shell, so we use this magical option. Signed-off-by: Steven Danna <[email protected]>
Signed-off-by: Steven Danna <[email protected]>
To use the FD provider in Veil, we need to be able to pass open file descriptors to processes `dvm` starts. Signed-off-by: Steven Danna <[email protected]>
Signed-off-by: Steven Danna <[email protected]>
We no longer need this owned by opscode:opscode becuase all applications now use either the FD provider or the Env provider to access secrets. Signed-off-by: Steven Danna <[email protected]>
Signed-off-by: Steven Danna <[email protected]>
Signed-off-by: Stephan Renatus <[email protected]>
Signed-off-by: Stephan Renatus <[email protected]>
opscode-erchef's veil-env-helper _requires_ this, so it better be there. For some reason, I didn't have it, and it feels like this could be easily avoided like this. Signed-off-by: Stephan Renatus <[email protected]>
Signed-off-by: Steven Danna <[email protected]>
stevendanna
force-pushed
the
use-env
branch
2 times, most recently
from
e4759a9 to
689278f
Compare
|
Depends on chef/chef_secrets#20 |
srenatus
approved these changes
Mar 24, 2017
| @@ -7,7 +7,17 @@ def self.get(group, name) | |||
| end | |||
|
|
|||
| def initialize | |||
| @veil = Veil::CredentialCollection.from_config(provider: 'chef-secrets-fd') | |||
| # TODO(ssd) 2017-03-24: This should maybe go in chef-secrets itself | |||
There was a problem hiding this comment.
👍 I agree, but this is ok for now
We've been hitting a problem with the FD provider in travis even though it works locally on OS X and locally in an Ubuntu VM on the same version of ruby being used in travis. To avoid this for now, we use the environment provider. Signed-off-by: Steven Danna <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The FD provider from veil/chef-secrets expects that the application has been passed a file descriptor containing the secrets it needs. This file descriptor can be owned by the supervisor before we drop permissions, allowing us to keep the secrets store owned as root.
oc-id was the most problematic application to move to this method since ruby's
execmethod closes all file handles by default.<srenatus> Update Since it'd be a bigger change to get opscode-expander to use the FD method, it's still using the env provider. This allows us to keep the secrets file owned by root:root, but leaks the secret into procfs. However, that (synthetic) file only contains the one password expander needs, and is only readable by opscode, so from a security perspective, this leaves us in a much better place than having the complete secrets file readable by opscode. </srenatus>