feat(secrets): Add unprotected secret implementation #13998
Conversation
telegraf-tiger
bot
added
the
feat
|
@redbaron can you please test the binary and also give this a review!? |
srebhan
added
area/agent
security
|
Will do. I'll need to rebase out patches on top of this one to be able to run it on our systems. I'll come back with results sometime next week. |
|
@redbaron any news for the testing? |
|
@redbaron wanted to check in and see if you have had a chance to give this a try? |
|
I've applied this PR as a patch to the current master branch and tried to use the resulting binary within a systemd-nspawn container. The container does not have the CAP_IPC_LOCK capability. My first test was generating config via |
|
@FlashSystems thanks for the test. Will try to fix it and let you know. Would you be willing to give this another try? |
Sure. Just let me know when I should give it another try. |
|
Following the code, I think there is currently nothing we can do about this. The minimum requirement even without locked secrets is a 3-page locked memory region and the ability to lock and protect memory regions. :-( Would that be a no-go for you @FlashSystems? The only solution would be a build-time flag but given the amount of variants we support this would probably mean a custom-build on your side... |
|
To me it looks like a good alternative to be able to build a telegraf with unprotected secrets by yourself.. |
OK, I understand the problem. But looking at the Bug-Reports at the top of this PR, I doubt that having a build time parameter is the right solution for all of these use cases. I think that distributions might have a hard time distinguishing at build time if telegraf is run on native hardware or within a container that has CAP_IPC_LOCK removed. My specific use case is building the Arch Linux telegraf package within a clean chroot. This build process uses a systemd-nspawn container without the CAP_IPC_LOCK privilege. The build process calls the created telegraf binary to create the default configuration included within the package. This triggers the problem. For this use case having a build time option is no solution, because the final package should be built with protected secrets support but when just calling |
|
Hi all, I've been following this with interest as I'm trying to get the latest telegraf built for AIX. AIX only permits mlock() for processes running with root capabilities. After patching memguard's memcall dependency to support AIX and applying these patches, I'm seeing the same panic as @FlashSystems (except when running as root, of course). My use-case is to build, package and run telegraf for AIX in a way that mirrors Linux reasonably closely, so running as a non-root user is important to me. I don't mean to hijack this, just add another voice and volunteer to test. |
|
Upstream issue created to propose the removal of |
|
@redbaron, @FlashSystems and @jtroy can you please test this PR again?!? This includes awnumar/memguard#156 which might fix our issue with memguard initializing on import... |
srebhan
force-pushed
the
secrets_alternatives
branch
from
6b30628 to
53b2859
Compare
|
I've tested the new revision of this PR and it works. I can now build the package within a systemd-nspawn container. It even works without using the |
|
@redbaron any feedback from your side? |
|
@srebhan, can you update this PR with the latest from upstream (and resolve the conflict)? Then we can request one more round of testing? Thanks! |
powersj
removed
the
ready for final review
Co-authored-by: Maxim Ivanov <hi+github@yamlcoder.me>
srebhan
force-pushed
the
secrets_alternatives
branch
from
e9b437a to
3e8ef53
Compare
|
@FlashSystems, @jtroy, @redbaron can you please test the latest version of this PR once the binary is available!? The required memguard PR #156 changed a bit and I want to make sure we are still fine... |
|
@srebhan: I did a quick test and rebuild the package in the systemd-nspawn container. Generating the configuration file still works fine👍 |
srebhan
added
the
ready for final review
|
Download PR build artifacts for linux_amd64.tar.gz, darwin_amd64.tar.gz, and windows_amd64.zip. 📦 Click here to get additional PR build artifactsArtifact URLs |
resolves #13804
resolves #13806
resolves #13807
superseeds #13812
This PR introduces an unprotected secret implementation that allows to run Telegraf in environments where the locked-page-limit is low and cannot be changed or where locked pages are not available. To switch to the not recommended unprotected more, you need to start Telegraf with the new
--unprotectedcommand-line flag. We issue a warning when running unprotected.