-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LoadCredential's unix domain socket support doesn't allow us to communicate that credential does no exist #27373
Comments
Example code where I am running into this issue: |
hmm, the current "protocol" is designed to transfer creds, not to not transfer them ;-) i guess we could change things so that an empty cred is automatically suppressed. people who actually want empty creds could then combine LoadCredential= with SetCredential= on the same credential, and assign an empty string that way. But yeah, you have a point, something like varlink becomes tempting for this... |
So, as discussed elsewhere: we should tweak systemd's logic so that the socket can also be an AF_UNIX/SOCK_SEQPACKET socket. Then we'll try to read exactly one datagram off it. If it works (even if zero sized) it's a valid datagram. If however the server disconnects our connection before sending us a single datagram it would mean "go away, i have no cred for your". Sounds simple enough. |
There was also a request to allow sending multiple credentials over a single AF_UNIX socket, maybe we can do that with SEQPACKET as well somehow? |
hmm, what does that mean? "allow sending multiple credentials"? |
To allow services to configure a credential glob (e.g. |
For example when you point This is because most secret management products (AWS Secret manager, Google secret manager, Vault, Kubernetes Secrets) model secrets as directories with to key-value pairs at the leafs of the tree
so would be useful if I have and would put them in |
Can we distinguish "0" bytes vs "stream was closed" with |
yes |
Component
other
Is your feature request related to a problem? Please describe
When pointing
LoadCredential=
at a unix domain socket; there is no way to communicate back to systems that the credential doesn't exist like with the file-based approach. I tried closing the unix domain socket connection but that just leads to an empty file being mounted in to the service.Is there a way to communicate back from the listener's perspective that a credential doesn't exist?
Describe the solution you'd like
I wonder if it would be better if instead of using the source address as the credential name, we would just have some in-band communication protocol like Varlink. That'd also open up the possibility of reloading credentials over the socket, or loading multiple credentials over a single connection like
LoadCredential=
points to a directory.****Describe alternatives you've considered
Not used systemd credentials
The systemd version you checked that didn't have the feature you are asking for
253
The text was updated successfully, but these errors were encountered: