-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add /etc/containers/auth.json and /etc/containers/auth.d/ dir #2600
base: main
Are you sure you want to change the base?
Conversation
e11c979
to
23e3edb
Compare
@mtrmac @vrothberg @rhatdan @cgwalters PTAL This is a follow up PR of #1746 What it does:
By introducing system-wide auth file and auth.d dir it covers cases for:
|
5a15faf
to
5e2dd4d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add tests for it as well?
I guess the tests could overwrite the .d
directory with a custom directory that the tests control.
on Windows and macOS, at `$HOME/.config/containers/auth.json`. | ||
|
||
There is also a system-global `/etc/containers/auth.json` path and `/etc/containers/auth.d/` directory with drop-in per-repo files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these paths are only used on Linux. We should probably highlight that here in the docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I think we should support the full https://uapi-group.org/specifications/specs/configuration_files_specification/ and hence we should handle /run/containers/auth.d
and /usr/lib/containers/auth.d
as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes little sense in combination with the requireUserOnly
logic. Either it is a whole-system configuration, or a root-only configuration.
/usr/
… credentials are outright inconsistent with the idea of “hermetic /usr
” supposedly motivating the design of that spec,.
(My vague intuition is that a whole-system readable-to-all configuration, like OS subscription credentials, makes sense as a new feature; a new feature specific to root-only or even systemd-root-only seems strictly inferior to specifically passing a service-specific credential option to that one specific command, so it does not make sense to add. But, also, I might well have forgotten an important argument from earlier discussions, and I haven’t revisited that yet.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/usr/… credentials are outright inconsistent with the idea of “hermetic /usr” supposedly motivating the design of that spec,.
Yes and no. It is definitely the case that a toplevel design goal of the UAPI group and systemd is to support split "golden vendor generic OS image in /usr" and "user local config in /etc".
But at the same time actually for people who are making custom derived OS images, it absolutely makes sense to put some of this configuration in /usr
.
To expand, this difference is exactly a huge thing that divides "Fedora CoreOS" from "Fedora bootc". In CoreOS you must put your content in /etc
, but in the bootc model we definitely encourage putting it in /usr
precisely because it "version locks" your config and the OS together - you own both parts as a single transactional unit.
This also relates to another thing that we in the bootc world kind of disagree with which is that we really want to support having e.g. LUKS for everything in /
including the operating system and hence including /usr
. The systemd/UAPI design keeps pushing the idea that "everything in /usr is open FOSS" but I don't think that's the reality.
It's of course not ideal to put "secret data" in /usr
but, it's not any different in reality than putting it in /etc
or /root
either from the bootc PoV. In some cases it's just "bootstrap secrets" that may live in the OS image that only have a relatively limited blast radius if leaked (e.g. they're just pull secrets, not push secrets for example).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I blogged yesterday related to this topic https://blog.verbum.org/2024/10/22/why-bootc-doesnt-require-usr-merge/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cgwalters I took a look at full specs for https://uapi-group.org/specifications/specs/configuration_files_specification/ and turned out that my understanding of the logic evaluation is slightly different from the reality. Here's a specific example and it takes into account just /etc and /usr/ uapi-group/specifications#125 (comment) Adding a third one /run would be even more cumbersome to implement. Do you still want to see this done?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't there an implementation of the config file spec for Go we could use? I think we shouldn't try to reimplement it all here just inside the authfile bits - we desperately (IMO) want drop-ins in other places in just our own stack, ref containers/storage#1885
For Rust we have https://docs.rs/liboverdrop/latest/liboverdrop/ which we use in bootc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I googled and did not find any, I asked on go forum.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cgwalters It appears that there is not anything in go that would be handling config files spec per UAPI.
I agree that we should not implement it here and maybe we should not also because none of instances found for config file/dir management in containers library implements fully the UAPI. I looked at other configs that support drop-ins and every implementation is somewhat a bit specific to its files and directories.
https://github.com/containers/image/blob/main/docs/containers-registries.conf.d.5.md#configuration-precedence
https://github.com/containers/common/blob/main/docs/containers.conf.5.md#files
Can we have 3 locations where a system wide auth.json can be found and just one location for drop-in files and they would be read with the following precedence:
/usr/lib/containers/auth.json
/run/containers/auth.json
/etc/containers/auth.json
/etc/containers/auth.d/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It appears that there is not anything in go that would be handling config files spec per UAPI.
Hmm...yeah, it would be a scope creep to write one for sure, but it would be clearly beneficial elsewhere.
@@ -143,8 +153,24 @@ func GetAllCredentials(sys *types.SystemContext) (map[string]types.DockerAuthCon | |||
// The homeDir parameter should always be homedir.Get(), and is only intended to be overridden | |||
// by tests. | |||
func getAuthFilePaths(sys *types.SystemContext, homeDir string) []authPath { | |||
runningInSystemd := os.Getenv("INVOCATION_ID") != "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate on why systemd is being excluded? Running Podman in systemd by means of Quadlet is widely used, so I want to make sure to understand the reasoning behind.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See below, it isn't about excluding systemd cases, the current logic just changes the priority order for the search to search the system paths first - but in order to avoid breaking people today that are e.g. writing to /root/.config
we still need to search those paths too.
The ordering logic here is IMO up for debate of course.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate why the order should be different when running in systemd? Certainly, we need to continue using the existing paths but I'd expect .d files to behave consistently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After this we'll have two big sources of auth: "user config" and "system config".
My thought was that when running in systemd we prefer system config over root's (or whatever user identity) first. This would avoid e.g. SELinux denials from system services trying to access root's home directory etc. It would be a fully backwards compatible change because the system wide paths wouldn't exist.
2aa8529
to
4d0dcd8
Compare
I’m sorry, I am not silently ignoring this, but I’m also swamped with priority work now. Please sign off per |
5890231
to
78e97ef
Compare
A long-running tension in the docker/podman land is around running as a system service versus being executed by a user. (Specifically a "login user", i.e. a Unix user that can be logged into via `ssh` etc.) For login users, it makes total sense to configure the container runtime in `$HOME`. But for system services (e.g. code executed by systemd) it is generally a bad idea to access or read the `/root` home directory. On image based systems, `/root` may be dynamically mutable state in contrast to `/etc` which may be managed by OS upgrades, or even be read-only. For these reasons, let's introduce `/etc/contaners/auth.json`. If it is present, and the current process is executing in systemd, it will be preferred. (There's some further logic around this that is explained in the manpage; please see that for details) cc coreos/rpm-ostree#4180 Signed-off-by: Colin Walters <[email protected]>
Signed-off-by: Ina Panova <[email protected]>
Signed-off-by: Ina Panova <[email protected]>
Signed-off-by: Ina Panova <[email protected]>
Signed-off-by: Ina Panova <[email protected]>
78e97ef
to
5c91fb3
Compare
Since there was some legitimate continuing debate about the desirability and design of this, let's split that out into #2614 |
An attempt at a summary of a video call, from my POV — so that we can see where there are more questions, and so that we can continue where we left off::
|
Link?
Yes but we have the papercut that anyone debugging things interactively needs to run This does relate though to the
To be clear in practice I think there aren't any denials today in the Fedora policy; systemd units are effectively unconfined by default including reading/writing to home directories. Anyways when you have a minute can you glance at #2614 ? |
I remember an in-person discussion at DevConf; I’m not sure there is a tracker. |
This is a follow-up of this PR #1746 - original description follows (originally written by by @cgwalters ).
EDIT: Design discussion in #2614
A long-running tension in the docker/podman land is around running as a system service versus being executed by a user. (Specifically a "login user", i.e. a Unix user that can be logged
into via
ssh
etc.)For login users, it makes total sense to configure the container
runtime in
$HOME
.But for system services (e.g. code executed by systemd) it
is generally a bad idea to access or read the
/root
homedirectory. On image based systems,
/root
may be dynamicallymutable state in contrast to
/etc
which may be managedby OS upgrades, or even be read-only.
A compounding problem today is that the
podman login
default is to write to$XDG_RUNTIME_DIR
which is not persistent - but often we want persistent state.For these reasons, let's introduce "system wide" persistent
authfiles that follow the config files specification.
alignment with bootc/ostree
Many image based systems will want to run containers via system services, and may specifically mount
/home
and/root
astmpfs
. Today of course, they could put authfiles elsewhere and copy them on boot into/root
(or pick custom authfile locations and point at them directly) but I think many simple use cases will be happy with "default global pull secret" as a baseline starting point.Kubelet
An important goal is that kubelet can use these locations in addition to
/var/lib/kubelet/config.json
as well. I am not aware of any work on kubelet upstream to change its model, but it's not required; we can recommend that kube users basically doln -sr /var/lib/kubelet/config.json /etc/containers/auth.json
perhaps.But probably what we want is a way to tell the kubelet to also inherit the default CRI's authfile paths?