3a35b16669
Swarm has size constraints on the size of secrets, but the client-side would
read content into memory, regardless its size. This could lead to either the
client reading too much into memory, or it sending data that's larger than
the size limit of gRPC, which resulted in the error not being handled by
SwarmKit and a generic gRPC error returned.
Reading a secret from a file was added in [moby@c6f0b7f], which used a
system.OpenSequential for reading ([FILE_FLAG_SEQUENTIAL_SCAN]). While
there could be a very marginal benefit to prevent polluting the system's
cache (Windows won’t aggressively keep it in the cache, freeing up system
memory for other tasks). These details were not documented in code, and
possibly may be too marginal, but adding a comment to outline won't hurt
so this patch also adds a comment.
This patch:
- Rewrites readSecretData to not return a nil-error if no file was
set, in stead only calling it when not using a driver.
- Implements reading the data with a limit-reader to prevent reading
large files into memory.
- The limit is based on SwarmKits limits ([MaxSecretSize]), but made
twice that size, just in case larger sizes are supported in future;
the main goal is to have some constraints, and to prevent hitting
the gRPC limit.
- Updates some error messages to include STDIN (when used), or the
filename (when used).
Before this patch:
ls -lh largefile
-rw------- 1 thajeztah staff 8.1M Mar 9 00:19 largefile
docker secret create nosuchfile ./nosuchfile
Error reading content from "./nosuchfile": open ./nosuchfile: no such file or directory
docker secret create toolarge ./largefile
Error response from daemon: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (8462870 vs. 4194304)
docker secret create empty ./emptyfile
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
cat ./largefile | docker secret create toolarge -
Error response from daemon: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (8462870 vs. 4194304)
cat ./emptyfile | docker secret create empty -
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
With this patch:
docker secret create nosuchfile ./nosuchfile
error reading from ./nosuchfile: open ./nosuchfile: no such file or directory
docker secret create empty ./emptyfile
error reading from ./emptyfile: data is empty
docker secret create toolarge ./largefile
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
cat ./largefile | docker secret create toolarge -
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
cat ./emptyfile | docker secret create empty -
error reading from STDIN: data is empty
[moby@c6f0b7f]: c6f0b7f448
[FILE_FLAG_SEQUENTIAL_SCAN]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
[MaxSecretSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
141 lines
4.1 KiB
Go
141 lines
4.1 KiB
Go
package secret
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
|
|
"github.com/docker/cli/cli"
|
|
"github.com/docker/cli/cli/command"
|
|
"github.com/docker/cli/opts"
|
|
"github.com/docker/docker/api/types/swarm"
|
|
"github.com/moby/sys/sequential"
|
|
"github.com/pkg/errors"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
type createOptions struct {
|
|
name string
|
|
driver string
|
|
templateDriver string
|
|
file string
|
|
labels opts.ListOpts
|
|
}
|
|
|
|
func newSecretCreateCommand(dockerCli command.Cli) *cobra.Command {
|
|
options := createOptions{
|
|
labels: opts.NewListOpts(opts.ValidateLabel),
|
|
}
|
|
|
|
cmd := &cobra.Command{
|
|
Use: "create [OPTIONS] SECRET [file|-]",
|
|
Short: "Create a secret from a file or STDIN as content",
|
|
Args: cli.RequiresRangeArgs(1, 2),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
options.name = args[0]
|
|
if len(args) == 2 {
|
|
options.file = args[1]
|
|
}
|
|
return runSecretCreate(cmd.Context(), dockerCli, options)
|
|
},
|
|
}
|
|
flags := cmd.Flags()
|
|
flags.VarP(&options.labels, "label", "l", "Secret labels")
|
|
flags.StringVarP(&options.driver, "driver", "d", "", "Secret driver")
|
|
flags.SetAnnotation("driver", "version", []string{"1.31"})
|
|
flags.StringVar(&options.templateDriver, "template-driver", "", "Template driver")
|
|
flags.SetAnnotation("template-driver", "version", []string{"1.37"})
|
|
|
|
return cmd
|
|
}
|
|
|
|
func runSecretCreate(ctx context.Context, dockerCli command.Cli, options createOptions) error {
|
|
client := dockerCli.Client()
|
|
|
|
var secretData []byte
|
|
if options.driver != "" {
|
|
if options.file != "" {
|
|
return errors.Errorf("When using secret driver secret data must be empty")
|
|
}
|
|
} else {
|
|
var err error
|
|
secretData, err = readSecretData(dockerCli.In(), options.file)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
spec := swarm.SecretSpec{
|
|
Annotations: swarm.Annotations{
|
|
Name: options.name,
|
|
Labels: opts.ConvertKVStringsToMap(options.labels.GetAll()),
|
|
},
|
|
Data: secretData,
|
|
}
|
|
if options.driver != "" {
|
|
spec.Driver = &swarm.Driver{
|
|
Name: options.driver,
|
|
}
|
|
}
|
|
if options.templateDriver != "" {
|
|
spec.Templating = &swarm.Driver{
|
|
Name: options.templateDriver,
|
|
}
|
|
}
|
|
r, err := client.SecretCreate(ctx, spec)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, _ = fmt.Fprintln(dockerCli.Out(), r.ID)
|
|
return nil
|
|
}
|
|
|
|
// maxSecretSize is the maximum byte length of the [swarm.SecretSpec.Data] field,
|
|
// as defined by [MaxSecretSize] in SwarmKit.
|
|
//
|
|
// [MaxSecretSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize
|
|
const maxSecretSize = 500 * 1024 // 500KB
|
|
|
|
// readSecretData reads the secret from either stdin or the given fileName.
|
|
//
|
|
// It reads up to twice the maximum size of the secret ([maxSecretSize]),
|
|
// just in case swarm's limit changes; this is only a safeguard to prevent
|
|
// reading arbitrary files into memory.
|
|
func readSecretData(in io.Reader, fileName string) ([]byte, error) {
|
|
switch fileName {
|
|
case "-":
|
|
data, err := io.ReadAll(io.LimitReader(in, 2*maxSecretSize))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error reading from STDIN: %w", err)
|
|
}
|
|
if len(data) == 0 {
|
|
return nil, errors.New("error reading from STDIN: data is empty")
|
|
}
|
|
return data, nil
|
|
case "":
|
|
return nil, errors.New("secret file is required")
|
|
default:
|
|
// Open file with [FILE_FLAG_SEQUENTIAL_SCAN] on Windows, which
|
|
// prevents Windows from aggressively caching it. We expect this
|
|
// file to be only read once. Given that this is expected to be
|
|
// a small file, this may not be a significant optimization, so
|
|
// we could choose to omit this, and use a regular [os.Open].
|
|
//
|
|
// [FILE_FLAG_SEQUENTIAL_SCAN]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
|
|
f, err := sequential.Open(fileName)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error reading from %s: %w", fileName, err)
|
|
}
|
|
defer f.Close()
|
|
data, err := io.ReadAll(io.LimitReader(f, 2*maxSecretSize))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error reading from %s: %w", fileName, err)
|
|
}
|
|
if len(data) == 0 {
|
|
return nil, fmt.Errorf("error reading from %s: data is empty", fileName)
|
|
}
|
|
return data, nil
|
|
}
|
|
}
|