[arvados] updated: 2.7.0-6547-gef4f350438

git repository hosting git at public.arvados.org
Mon May 13 18:03:23 UTC 2024 

Summary of changes:
 tools/salt-install/installer.sh | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

       via  ef4f350438ec7465b5fd71aeda834c2a707b80b3 (commit)
      from  218b4d51dd9b31604a37d78bb602151bdc2af4d6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit ef4f350438ec7465b5fd71aeda834c2a707b80b3
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date:   Mon May 13 15:00:46 2024 -0300

    21678: Passes credentials through conf file instead of env vars.
    
    To avoid leaking the token to the remote host process list, and also
    minimize the exposure on the local host, instead of passing the credentials
    through environment variables, we build a conf file that get piped to ssh
    via stdout/stdin.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>

diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index a62a780032..9930fd7708 100755
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -458,13 +458,27 @@ diagnostics-internal)
     exit 1
   fi
 
+  export ARVADOS_API_HOST="${DOMAIN}:${CONTROLLER_EXT_SSL_PORT}"
+  export ARVADOS_API_TOKEN="$SYSTEM_ROOT_TOKEN"
+
   # Pick the first shell node for test running
   declare TESTNODE=$(echo ${ROLE2NODES['shell']} | cut -d\, -f1)
+  declare SSH=$(ssh_cmd "$TESTNODE")
+
+  # Set up credentials
+  declare CONFFILE=$(mktemp)
+  trap 'rm "$CONFFILE"' EXIT INT TERM QUIT
+  {
+    echo "ARVADOS_API_HOST=$ARVADOS_API_HOST"
+    echo "ARVADOS_API_TOKEN=$ARVADOS_API_TOKEN"
+  } > $CONFFILE
+  $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'mkdir -m 0700 -p ~/.config/arvados'"
+  cat $CONFFILE | $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'cat > ~/.config/arvados/settings.conf'"
 
   # Run diagnostics
-  declare SSH=$(ssh_cmd "$TESTNODE")
-  echo "Running diagnostics on $TESTNODE ..."
-  $SSH $DEPLOY_USER@$TESTNODE "sudo ARVADOS_API_HOST=${DOMAIN}:${CONTROLLER_EXT_SSL_PORT} ARVADOS_API_TOKEN=$SYSTEM_ROOT_TOKEN arvados-client diagnostics -internal-client"
+  echo "Running diagnostics in $TESTNODE..."
+  $SSH $DEPLOY_USER@$TESTNODE "sudo arvados-client diagnostics -internal-client"
+
   ;;
 
 *)

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list