nessiLahav
commented
4 years ago What i have done: I suggested a solution of recreating the conjur server container using docker-compose
TODO: investigate sgnn7 suggestions on slack
Open orenbm opened 5 years ago
nessiLahav
commented
4 years ago What i have done: I suggested a solution of recreating the conjur server container using docker-compose
TODO: investigate sgnn7 suggestions on slack
izgeri
commented
4 years ago @orenbm isn't this the wrong statement of the problem?
The problem is
When I deploy and configure Conjur with a given set of authenticators using the
CONJUR_AUTHENTICATORSenvironment variable And some time later I want to update the allowed list ofCONJUR_AUTHENTICATORSThen I have a documented method for updating the list of allowed authenticators
One method of doing this is having a clean way to restart the server (which will reload the variables, if I reset them). There may be other methods of doing this, and we should think creatively about how to create a good experience that resolves the problem statement I drafted above.
Separately, there is a current bug where killing the process of the conjur server doesn't close the workers properly and after a restart the logs aren't written to docker logs as before. That should be its own issue that we resolve.
jvanderhoof
commented
4 years ago As containers are intended to be a single process, they don't support environment variable reloading. I agree with Ger's comment above. We should focus on enabling authenticators to be added without using environment variables so they can be updated without restarting the container.
izgeri
commented
4 years ago Yes! My problem statement still assumes the use of the env var - it may more generally be stated as
When I deploy and configure Conjur with a given set of allowed authenticators And some time later I want to update the list of allowed authenticators Then I have a working, documented method for updating the list of allowed authenticators
orenbm
commented
4 years ago thanks @izgeri . i can go with your definition but we should fix this for more env vars. For example, we need to have a way to reload the CONJUR_LOG_LEVEL as well.
izgeri
commented
4 years ago sure. it's really about revising the configuration once it's up and running, which could be solved any number of ways (but maybe most usefully by providing alternate ways to configure conjur beyond env vars)
orenbm
commented
4 years ago @eranha please see the discussion above.
izgeri
commented
3 years ago Just noting here that we now have documentation on how to update environment variables once Conjur is already deployed:
We should find a way to restart the Conjur server so we can reload environment variables. This prevents users from adding new authentication methods to an existing server, to change log level and probably other effects.
At this point, killing the process of the conjur server doesn't close the workers properly and after a restart the logs aren't written to docker logs as before. We should: a. fix that - killing the process and re-running it should restart the server properly. b. find a better way to restart the server (add an option for the
conjurctlscript?)After this is done, we should document this: a. In a section of its own b. In the logs page (if it is not available yet then create it with this base Confluence - Conjur Logs) c. In the "Whitelist the Authenticators" section in the docs: https://docs.conjur.org/Latest/en/Content/Operations/Services/authentication-types.htm#Whitelis d. In every authenticator page in the "enable authenticator" section.