New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update default.conf #2982
Update default.conf #2982
Conversation
In default.conf cleaned up all cases of config variables for secret values i.e. have a generic explanation comment at the beginning instead of several similar comments at each place
When VAR is for a secret value we must also in case of VAR="${VAR:-default}" use { VAR="${VAR:-default}" ; } 2>/dev/null otherwise when VAR is already set as VAR=secret then with 'set -x' the plain VAR="${VAR:-default}" would reveal the secret in the log as 'VAR=secret'
In my recent What is actually meant is the |
Keep the information that default.conf is sourced by usr/sbin/rear directly (using 'source') while {site,local}.conf are sourced using Source() which can 'set -x'.
Regarding
Yes and no ;-) Yes, No, And - as always - tertium datur: |
Also, we should remember to declare every new secret variable in default.conf this way and if we do, it makes the file uglier.
Have you actually used a debugscript log file to find out what the user has set? Personally I always ask users to provide their {local,site}.conf files if I need to see configuration parameters for debugging.
You could use a heuristics : see the regex in #2967 (comment). Another idea: perhaps we could introduce yet another config file called |
usr/share/rear/conf/default.conf
Outdated
@@ -2264,7 +2266,8 @@ GALAXY11_Q_ARGUMENTFILE= | |||
# CommVault login credentials for restore | |||
# Remember to adequately protect the rescue media if you include credentials in it | |||
GALAXY11_USER=${GALAXY11_USER:-} | |||
GALAXY11_PASSWORD=${GALAXY11_PASSWORD:-} | |||
{ GALAXY11_PASSWORD=${GALAXY11_PASSWORD:-} ; } 2>/dev/null | |||
# In local.conf set it confidentially via { GALAXY11_PASSWORD='secret_password' ; } 2>/dev/null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer this type of explanation to appear only once at the top
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have this special additional explanation because
{ GALAXY11_PASSWORD=${GALAXY11_PASSWORD:-} ; } 2>/dev/null
is not a correct template how to set it in local.conf but
{ GALAXY11_PASSWORD='secret_password' ; } 2>/dev/null
is a template which can be used even for copy&paste.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to leave at least a little bit of own thinking to our users, so having a general explanation for how to set secret variables at the top of default.conf
should really suffice. For my taste, we already have way too many long explanations in our default.conf
that I need to scroll by while looking for the actual variables.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My experience over almost 25 years with various kind of users
tells that the majority of users who think about what they do
is not the problem - the problem are the few who do not think.
Nevertheless - hope dies last - so:
1d8d0e8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that the long explanatory comments in default.conf
make it hard to get a concise overview of the config variables.
I think without any comments
# grep -v '^#' usr/share/rear/conf/default.conf
outputs too little information.
So I suggest to distinguish between essential comments
and additional explanatory comments by using
different comment marks, for example
'# ' for essential comments and
'## ' for additional explanatory comments
like:
####
# VAR
# What to do.
## Via VAR you can specify what to do as an array of strings.
## The strings must be of the following form ...
## For example you could specify ...
## VAR=( ... )
## Alternativery you may even use
## VAR=( ... )
## for the special use case of ...
# By default do this, that, and something else:
VAR=( 'this' 'that' 'something else' )
####
Yes, we can add a new config (I'd call it In the sense of keeping things simple I'd prefer such a "low tech" approach, at least for now and as long as we use Bash to read configuration variables. |
In etc/rear/local.conf added an explanation how to set a secret value
@pcahyna regarding your of course it is our duty to implement special care In the past I have used the debugscript log file Show all values, also defaults, not just those set by the user, |
A totally offhanded perhaps a bit crazy idea: When all possibly secret variables are set in default.conf
we could extract those variable names via some regexp
I.e. do something similar as what we currently do via |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more extra explanation.
I was thinking that of course default values can never be secret, so that strictly speaking it is not required to do for example { YUM_ROOT_PASSWORD='root' ; } 2>/dev/null
.
I do see value in using this way of specifying the variables as a way to mark for us and our users that we mean this to be a secret variable.
Thanks a lot for cleaning up the default conf and feel free to merge when you are ready.
Less duplicate expanation in local.conf - instead a generic reference to default.conf
In the new explanatory comment in default.conf the part
triggered |
Those are the config variables that could have secret values:
For each of them I will check our code that According to the output of
all except BACKUP_PROG_CRYPT_KEY For GALAXY11_PASSWORD I did already |
Type: Cleanup
Impact: Normal
Reference to related issue (URL):
Follow-up of
Increase USER_INPUT_INTERRUPT_TIMEOUT default from 10 to 30 seconds #2981
How was this pull request tested?
Not tested
Brief description of the changes in this pull request:
In default.conf cleaned up
all cases of config variables for secret values
i.e. have a generic explanation comment at the beginning
instead of several similar comments at each place