Open thaJeztah opened 7 years ago
ping @friism @aluzzardi @johnstep @londoncalling for input / help
On the format of the credential spec file; I found this gist https://gist.github.com/PatrickLang/27c743782fca17b19bf94490cbb6f960, referring to a tool here;
contrib/
)Also; the requirement to have the specs uploaded to the daemon host (or present in the daemon host's registry) may make it more difficult to use in a Swarm; is there a way to distribute credential-specs in a Swarm (e.g. through secrets or configs)?
/cc @PatrickLang @jhowardmsft
You're right about the paths. For both files and registry keys, they should be relative, and I'm not even positive if sub-directories or sub-keys are supported, but will verify.
As for swarm, we are planning to add a config:
option to reference a credential spec stored as a config instead of a file or a registry key. In 17.06, that is not supported. There is a workaround to distribute a credential spec to all nodes in the swarm, using a config, but it is certainly not ideal:
copy-credspec.yml
version: '3.3'
configs:
credspec:
file: ${ProgramData}/Docker/CredentialSpecs/${CREDSPEC:-gmsa.json}
services:
copy:
command: cmd /c copy credspec C:\\out\\${CREDSPEC:-gmsa.json}
configs:
- credspec
deploy:
mode: global
restart_policy:
condition: none
image: microsoft/nanoserver
volumes:
- source: ${ProgramData}/Docker/CredentialSpecs
target: C:/out
type: bind
That compose file defaults to gmsa.json
but a variable $env:CREDSPEC
overrides the file name. The file is stored in the default location, as per the script that creates it in the first place.
The above can be deployed in a swarm with:
docker stack deploy -c copy-credspec.yml copy-credspec
We are hoping to have a config:
option soon, for swarm.
@thaJeztah thanks for typing this up.
I agree with the docs recommendations you make.
I think there was a debate about whether to security_opt
or not to security_opt
. Afaik, we can back-port --credential-spec
to docker run
for consistency.
Yes, we should try to keep it consistent at least
@johnstep interesting; what does a docker service inspect
look like for your example? Because this part of the code looks to indicate you cannot pass a full path; https://github.com/moby/moby/blob/9aecbbf9bf50dd5c3d250e8dc1c74360a9f30d8e/daemon/start_windows.go#L201-L208
Sorry for the confusion. The service above does not use a credential spec; it copies the credential spec file to each node in the swarm, thus allowing any other service to make use of the credential spec.
Oh! Sorry, yes, I mis-read the example
@patricklang When this feature was first added to docker run
we ended up with a model where it was documented in Microsoft docs with links from Docker docs. Our experience is that lots of people are using this with Docker Windows containers, which is why we made sure it would work with docker service create
and docker-compose
. How would you feel about contributing your guide to the Docker docs and working on extending it together?
ping @gbarr01 - just recalled this one was still open, and also relates to missing documentation for this feature
While working on https://github.com/moby/moby/pull/34002, I noticed there's a lot of confusing bits in this feature that we may want to improve on;
on
docker run
/docker create
--security-opt credentialspec=file://foo
(https://github.com/moby/moby/pull/23389)--credentialspec
was not implemented, and removed in https://github.com/moby/moby/pull/31976compose-file (version: 2 - undocumented https://docs.docker.com/compose/compose-file/compose-file-v2/#security_opt):
on
docker service create
/docker service update
--credential-spec=file://foo
(https://github.com/moby/moby/pull/32339)Docker compose docs / implementation (version 3):
Documentation needs some updating;
Using:
Produces an error:
And has to be changed to;
In addition:
file
in the documentation is an absolute path, but paths should be specified relative toC:\ProgramData\docker\CredentialSpecs\
, or more factually<docker root>/CredentialSpecs
(docker root
is configurable)file
in the documentation is specified using a Linux path, but should use Windows (backslash, instead of forward slash)registry
option only expects a registry key name, not the full path (i.e. it searches for a key named "the-key-I-specified" insideHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs
).txt
, but the credential specs file is actually a JSON file, in which case, our example should usemy-credential-spec.json
Error message consistency
Using this compose file;
produces an error, because both
file:
andregistry:
is specified;The error is correct, but given that this error is generated client-side;
File
andRegistry
be changed tofile:
andregistry:
?