You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@yetus.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2017/05/13 05:46:04 UTC

[jira] [Commented] (YETUS-504) Keep sensitive information like passwords out of the docker container.

    [ https://issues.apache.org/jira/browse/YETUS-504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16009150#comment-16009150 ] 

Allen Wittenauer commented on YETUS-504:
----------------------------------------

I've been thinking about this one a lot.  Here's some random thoughts:

* We need to re-arrange how patches are downloaded 

Patches will need to be fetched and saved off rather than re-fetched.  Plug-ins like github and JIRA that expect to be able to do multiple queries will need to do all of that processing prior to the re-exec.

* We need to re-think how comments are written

Currently, comments are submitted back to a service live. That will not be possible if the plug-ins don't have the creds to write.  This either means writing "message files" of some sort that can be transmitted or firing up a listener outside the container. 

Given:

* Typically in shell code, named-pipes and the like are used for IPC
* Docker doesn't support named-pipes (see https://github.com/docker/for-mac/issues/483)

We might be stuck with using something like socat or ssh forwarding or something equally horrible.  Message files is going to be easier over the short haul unless we want to write something custom.  I'd prefer to avoid that for test-patch, since it's current bash-view of the world means it runs everywhere with no need to worry about versions (effectively) or plug-ins and the like.

> Keep sensitive information like passwords out of the docker container.
> ----------------------------------------------------------------------
>
>                 Key: YETUS-504
>                 URL: https://issues.apache.org/jira/browse/YETUS-504
>             Project: Yetus
>          Issue Type: Improvement
>          Components: Test Patch
>            Reporter: Allen Wittenauer
>            Priority: Critical
>
> One of the things that has bugged me for quite a while is that user code in the Docker container has access to the passwords for external systems.  It would be nice to reconfigure this a bit where we do all of that work outside of the container.  This way, there would be no need to push sensitive data inside.  



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)