[security] command line option to read worker token from secret file instead of raw file

cirruslabs / orchard

Orchestrator for running Tart Virtual Machines on a cluster of Apple Silicon devices

Other

194 stars 16 forks source link

[security] command line option to read worker token from secret file instead of raw file #158

Closed eecsmap closed 6 months ago

eecsmap commented 6 months ago

To run a worker, it requires --bootstrap-token. Therefore we will:

provide this value in the plist file
see this value in ps output To avoid leaking such information, so that anyone can hook worker machines. It will be nice to have something like --bootstrap-token-file which accepts a secret file.

edigaryev commented 6 months ago

Hi,

2. It will be nice to have something like --bootstrap-token-file which accepts a secret file.

Would --bootstrap-token-stdin work for you?

eecsmap commented 6 months ago

Yes, --bootstrap-token-stdin would be good in command line where we could simply cat .secret_file | orchard worker run --bootstrap-token-stdin. I am not sure whether plist has pipeline support or not. But I could wrap it into a script instead. So yeah, if you could add --bootstrap-token-stdin, it will be helpful :)