Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

rkt, config: Add loading configuration from user directory #1981

Merged
merged 4 commits into from
Jan 21, 2016
Merged

rkt, config: Add loading configuration from user directory #1981

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
51625bf
rkt, config: Add loading configuration from user directory
krnowak Jan 15, 2016
0286efe
docs: Mention new --user-config flag
krnowak Jan 18, 2016
cf35ce3
bash: Update completion data with --user-config flag
krnowak Jan 18, 2016
766743f
CHANGELOG.md: Add an entry about --user-config
krnowak Jan 18, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
- When using `bash`, `rkt` commands can be auto-completed ([#1955](https://github.com/coreos/rkt/pull/1955)).
- The executables given on the command line via the `--exec` parameters don't need to be absolute paths anymore ([#1953](https://github.com/coreos/rkt/pull/1953)). This change reflects an update in the appc spec since [v0.7.2](https://github.com/appc/spec/releases/tag/v0.7.2). See rkt's [rkt run --exec](https://github.com/coreos/rkt/blob/master/Documentation/subcommands/run.md#overriding-executable-to-launch) documentation.
- Add a `--full` flag to rkt fetch so it returns full hash of the image. ([#1976](https://github.com/coreos/rkt/pull/1976))
- There is a new global flag for specifying the user configuration directory, `--user-config`. It overrides whatever is configured in system and local configuration directories. It can be useful for specifying different credentials for fetching images without putting them in a globally visible directory like `/etc/rkt`. See rkt's [Global Options](https://github.com/coreos/rkt/blob/master/Documentation/commands.md#global-options) documentation. ([#1981](https://github.com/coreos/rkt/pull/1981))

#### Build improvements

Expand Down
1 change: 1 addition & 0 deletions Documentation/commands.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ In addition to the flags used by individual `rkt` commands, `rkt` has a set of g
| `--debug` | `false` | `true` or `false` | Prints out more debug information to `stderr` |
| `--dir` | `/var/lib/rkt` | A directory path | Path to the `rkt` data directory |
| `--insecure-options` | none | <ul><li>**none**: All security features are enabled</li><li>**http**: Allow HTTP connections. Be warned that this will send any credentials as clear text.</li><li>**image**: Disables verifying image signatures</li><li>**tls**: Accept any certificate from the server and any host name in that certificate</li><li>**ondisk**: Disables verifying the integrity of the on-disk, rendered image before running. This significantly speeds up start time.</li><li>**all**: Disables all security checks</li></ul> | Comma-separated list of security features to disable |
| `--user-config` | `` | A directory path | Path to the user configuration directory |
| `--local-config` | `/etc/rkt` | A directory path | Path to the local configuration directory |
| `--system-config` | `/usr/lib/rkt` | A directory path | Path to the system configuration directory |
| `--trust-keys-from-https` | `true` | `true` or `false` | Automatically trust gpg keys fetched from https |
Expand Down
19 changes: 15 additions & 4 deletions Documentation/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,17 @@
# rkt configuration

`rkt` reads configuration from two directories - a **system directory** and a **local directory**.
The system directory defaults to `/usr/lib/rkt`, and the local directory to `/etc/rkt`.
Both locations can be changed with command line flags.
`rkt` reads configuration from two or three directories - a **system directory**, a **local directory** and, if provided, a **user directory**.
The system directory defaults to `/usr/lib/rkt`, the local directory to `/etc/rkt`, and the user directory to an empty string.
These locations can be changed with command line flags.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should explain what is system, local and user in this context, and why it is useful to have several directories.

  • system: config from the distribution, read-only. The admin cannot change it, or is not supposed to.
  • local: (local to the machine) can be modified by an admin.
  • user: more specific to a user. Uses: when there are several users fetching images with different http credentials. Or when specifying a different directory for the network plugin that should not be used by all rkt instances on this machine.


The system directory should contain a configuration created by a vendor (e.g. distribution).
The contents of this directory should not be modified - it is meant to be read only.

The local directory keeps configuration local to the machine.
It can be modified by the admin.

The user directory may hold some user specific configuration.
It may be useful for specifying credentials used for fetching images without spilling them to some directory readable by everyone.

`rkt` looks for configuration files with the `.json` file name extension in subdirectories beneath the system and local directories.
`rkt` does not recurse down the directory tree to search for these files.
Expand All @@ -22,8 +31,10 @@ When a new field is added, a default value should be specified for it, documente
This way, an older version of `rkt` can work with newer-but-compatible versions of configuration files, and newer versions of `rkt` can still work with older versions of configuration files.

Configuration values in the system directory are superseded by the value of the same field if it exists in the local directory.
The same relationship exists between the local directory and the user directory if the user directory is provided.
The semantics of overriding configuration in this manner are specific to the `kind` and `version` of the configuration, and are described below.
File names are not examined to determine local overrides. Only the fields inside configuration files need to match.
File names are not examined in determining local overrides.
Only the fields inside configuration files need to match.

## Configuration kinds

Expand Down
24 changes: 24 additions & 0 deletions dist/bash_completion/rkt.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,7 @@ _rkt_api-service()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -266,6 +267,7 @@ _rkt_cat-manifest()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -289,6 +291,7 @@ _rkt_enter()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -314,6 +317,7 @@ _rkt_fetch()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -338,6 +342,7 @@ _rkt_gc()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -361,6 +366,7 @@ _rkt_image_cat-manifest()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -384,6 +390,7 @@ _rkt_image_export()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -408,6 +415,7 @@ _rkt_image_extract()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -431,6 +439,7 @@ _rkt_image_gc()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand Down Expand Up @@ -458,6 +467,7 @@ _rkt_image_list()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -482,6 +492,7 @@ _rkt_image_render()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -504,6 +515,7 @@ _rkt_image_rm()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand Down Expand Up @@ -533,6 +545,7 @@ _rkt_image()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -555,6 +568,7 @@ _rkt_install()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -579,6 +593,7 @@ _rkt_list()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -602,6 +617,7 @@ _rkt_metadata-service()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand Down Expand Up @@ -637,6 +653,7 @@ _rkt_prepare()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -660,6 +677,7 @@ _rkt_rm()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand Down Expand Up @@ -701,6 +719,7 @@ _rkt_run()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -726,6 +745,7 @@ _rkt_run-prepared()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -749,6 +769,7 @@ _rkt_status()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -775,6 +796,7 @@ _rkt_trust()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand All @@ -797,6 +819,7 @@ _rkt_version()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand Down Expand Up @@ -835,6 +858,7 @@ _rkt()
flags+=("--dir=")
flags+=("--insecure-options=")
flags+=("--insecure-skip-verify")
flags+=("--user-config=")
flags+=("--local-config=")
flags+=("--system-config=")
flags+=("--trust-keys-from-https")
Expand Down
8 changes: 4 additions & 4 deletions rkt/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,11 +127,11 @@ func GetConfig() (*Config, error) {
}

// GetConfigFrom gets the Config instance with configuration taken
// from given system path overridden with configuration from given
// local path.
func GetConfigFrom(system, local string) (*Config, error) {
// from given paths. Subsequent paths override settings from the
// previous paths.
func GetConfigFrom(dirs ...string) (*Config, error) {
cfg := newConfig()
for _, cd := range []string{system, local} {
for _, cd := range dirs {
subcfg, err := GetConfigFromDir(cd)
if err != nil {
return nil, err
Expand Down
11 changes: 10 additions & 1 deletion rkt/rkt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ var (
Dir string
SystemConfigDir string
LocalConfigDir string
UserConfigDir string
Debug bool
Help bool
InsecureFlags *rktflag.SecFlags
Expand Down Expand Up @@ -156,6 +157,7 @@ func init() {
cmdRkt.PersistentFlags().Var((*absDir)(&globalFlags.Dir), "dir", "rkt data directory")
cmdRkt.PersistentFlags().Var((*absDir)(&globalFlags.SystemConfigDir), "system-config", "system configuration directory")
cmdRkt.PersistentFlags().Var((*absDir)(&globalFlags.LocalConfigDir), "local-config", "local configuration directory")
cmdRkt.PersistentFlags().Var((*absDir)(&globalFlags.UserConfigDir), "user-config", "user configuration directory")
cmdRkt.PersistentFlags().Var(globalFlags.InsecureFlags, "insecure-options",
fmt.Sprintf("comma-separated list of security features to disable. Allowed values: %s",
globalFlags.InsecureFlags.PermissibleString()))
Expand Down Expand Up @@ -283,7 +285,14 @@ func calculateDataDir() string {

func getConfig() (*config.Config, error) {
if cachedConfig == nil {
cfg, err := config.GetConfigFrom(globalFlags.SystemConfigDir, globalFlags.LocalConfigDir)
dirs := []string{
globalFlags.SystemConfigDir,
globalFlags.LocalConfigDir,
}
if globalFlags.UserConfigDir != "" {
dirs = append(dirs, globalFlags.UserConfigDir)
}
cfg, err := config.GetConfigFrom(dirs...)
if err != nil {
return nil, err
}
Expand Down