This repository has been archived by the owner on Oct 16, 2020. It is now read-only.
Container Linux Config Transpiler does not support ETCD_SSL_DIR #2565
Comments
devurandom
added a commit
to devurandom/typhoon
that referenced
this issue
Mar 12, 2019
This is supposed to slightly improve security. Since we do not yet know the IP address of the machine when rendering the template in Terraform, we use Container Linux Config's support for CoreOS Metadata to resolve it during installation. This requires that we use the Container Linux Config `etcd` structure instead of manipulating the `etcd-member.service` directly, because the Container Linux Config transpiler will only interpolate `{}` statements in that section, but not in `systemd` units. Since the Container Linux Config transpiler currently provides no way to set the `ETCD_SSL_DIR` which `/usr/lib/coreos/etcd-wrapper` will mount into the container, we still need to override this environment variable in `etcd-member.service` ourselves. See-Also: coreos/bugs#2565
devurandom
added a commit
to devurandom/typhoon
that referenced
this issue
Mar 12, 2019
This is supposed to slightly improve security. Since we do not yet know the IP address of the machine when rendering the template in Terraform, we use Container Linux Config's support for CoreOS Metadata to resolve it during installation. This requires that we use the Container Linux Config `etcd` structure instead of manipulating the `etcd-member.service` directly, because the Container Linux Config transpiler will only interpolate `{}` statements in that section, but not in `systemd` units. Since the Container Linux Config transpiler currently provides no way to set the `ETCD_SSL_DIR` which `/usr/lib/coreos/etcd-wrapper` will mount into the container, we still need to override this environment variable in `etcd-member.service` ourselves. See-also: coreos/bugs#2565 Signed-off-by: Dennis Schridde <devurandom@gmx.net>
As a workaround you can add a dropin unit to the This is because we currently only support the command line options from etcd (which can be specified by env vars as well) but the We're pretty bogged down with Fedora CoreOS work at the moment, but if you want to submit a PR I can definitely get that through review and cut a new release with it. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Issue Report
Bug
Container Linux Version
Environment
What hardware/cloud provider/hypervisor is being used to run Container Linux?
Digital Ocean
Expected Behavior
Setting
etcd.ssl_dir
Container Linux Config parameter should set theETCD_SSL_DIR
environment variable in/etc/systemd/system/etcd-member.service.d/20-clct-etcd-member.conf
, so that there is a way to influence which host directory/usr/lib/coreos/etcd-wrapper
will mount at/etc/ssl/certs
in the container.Actual Behavior
The
etcd
Container Linux Config structure offers no way of influencing theETCD_SSL_DIR
environment variable.The text was updated successfully, but these errors were encountered: