Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cadviser: add storageDriverPasswordFile option #24341

Merged
merged 1 commit into from May 1, 2017
Merged

cadviser: add storageDriverPasswordFile option #24341

merged 1 commit into from May 1, 2017

Conversation

basvandijk
Copy link
Member

This gives users the option of storing the storageDriverPassword outside the world-readable Nix store.

This is part of #24288.

@offlinehacker I tested if the module evaluates without problems. I haven't tested the actual service yet. Would you be able to do that?

One concern I have is if the secret in -storage_driver_password secret will show up in top/htop/ps/ etc. since it's passed as a command line argument. Will cadvisor do The Right Thing and remove the secret from its command line?

Ideally we request the cadviser developers to add a -storage_driver_password_file option.

@mention-bot
Copy link

@basvandijk, thanks for your PR! By analyzing the history of the files in this pull request, we identified @offlinehacker, @bjornfor and @nckx to be potential reviewers.

@basvandijk basvandijk mentioned this pull request Mar 26, 2017
Open
75 tasks
matthewbauer
matthewbauer reviewed Mar 26, 2017
View reviewed changes
nixos/modules/services/monitoring/cadvisor.nix Outdated
world-readable Nix store that contains the value of <option>storageDriverPassword</option>.

It's recommended to override this with a path not in the Nix store.
Tip: use <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400>nixops key management</link>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you forgot to end the quote for href.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the heads up.

@basvandijk basvandijk force-pushed the cadviser-storageDriverPasswordFile branch from 480086b to 1143731 Compare March 26, 2017 11:31
@basvandijk
cadviser: add storageDriverPasswordFile option
2030a91 
This gives users the option of storing the storageDriverPassword outside the
world-readable Nix store.
@basvandijk basvandijk force-pushed the cadviser-storageDriverPasswordFile branch from 1143731 to 2030a91 Compare April 8, 2017 12:15
@basvandijk
Copy link
Member Author

It would be great if this can be merged so that we get some progress on #24288.

I also requested a -storage_driver_password_file option in: google/cadvisor#1633 so that we don't have to pass secrets via the insecure command line.

@7c6f434c 7c6f434c merged commit 01ba1a4 into NixOS:master May 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewbauer matthewbauer matthewbauer left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@basvandijk @mention-bot @matthewbauer @7c6f434c