New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CI:DOCS] Pass secrets from the host down to internal podman containers #20659
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@gardar could you make sure this does what you want? |
@rhatdan sure, thanks! I'll do it once I get back to the office after the weekend. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tentative LGTM.
Would be great to have this tested in CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I understand what you are trying to do it seems that /run/secrets
is overloaded. If you create the outer container with a secret it will be written to /run/secrets
. Thus this patch will leak all secrets to the inner container which seems undesirable if not outright dangerous as I cannot imagine anyone expecting this.
Is there a way to only limit this to the RHEL subscription?
Yes, with |
I agree that their could be a leak, but doing Since this is not a general purpose container, I think it is safe to do |
We could add an optional volume construct, Could go all the way to
Which would create the source volume if it did not exists (Matching Docker behavior). |
Well I think secrets contain generally sensitive data, thus leaking it without any user content to the inner container may be very bad. |
f55d29b
to
8e21e72
Compare
This change will allow RHEL subscriptions from the host to flow to internal containers. Fixes: containers/common#1735 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
8e21e72
to
5dc8074
Compare
Am I understanding it correctly that this proposed change only fixes the issue when using the |
This will only fix this for podmanimage(s), but gives a guide to others on how to handle it. |
Ok that what I thought. |
You could potentially do something their but it would be an abuse and hard coding RHEL semantics into the tool. Currently the tool is generalized to look for a file and then copies the contents of that file into the container. I would not want to hard code this path into the podman/buildah. |
@rhatdan it seems like you didn't fix #20659 (comment) This means podman will print a bunch of warnings if the container is not run on non RHEL/fedora based host. |
This change will allow RHEL subscriptions from the host to flow to internal containers.
Fixes: containers/common#1735
Does this PR introduce a user-facing change?