Allow relaxing of file permissions, e.g. to allow a file to be world-readable if configured to be.

I've had something happen two or three times recently where I've had a keywhiz process using > 100% cpu on my mac. I'm not sure what it is -- but both times it happened when i'd closed the terminal I was running it in. I'll attempt a proper repro & profile.

I have the keywhiz server running locally, and now trying to get the keywhiz-fs client mounted to it so I can get a better understanding as to how this all works and how we might be able to use it for our current solution. I'm getting this error when trying to mount however:

mlockall() not implemented on this system
panic: open client.crt: no such file or directory

goroutine 1 [running]:
panic(0x446d980, 0xc8200f2090)
/usr/local/Cellar/go/1.6/libexec/src/runtime/panic.go:464 +0x3e6
main.panicOnError(0x4cbb5d8, 0xc8200f2090)
/Users/dsgrant/git/src/keywhiz-fs/main.go:163 +0x4b
main.NewClient(0x453cdf0, 0xa, 0x453ce00, 0xa, 0x453c870, 0xa, 0xc820084600, 0x4a817c800, 0x4612000, 0x7fff5fbffb44, ...)
/Users/dsgrant/git/src/keywhiz-fs/client.go:83 +0x207
main.main()
/Users/dsgrant/git/src/keywhiz-fs/main.go:76 +0x671

Hi,

I've tried to use it for storing s3fs secrets, but (by default) it doesn't allow password files which have group permissions.

I've created a quick workaround:
https://github.com/gyulaweber/keywhiz-fs/commit/d0da8a339c3a405ee039aa42471db4f51aa56705

I think it would be better if we can use a parameter like 'no-group-permissions', or like that. I'm still not sure what would be the best solution for this.

I just clone the project and build the docker image as described in the readme. when i run the container, i get this.

docker run -it --device /dev/fuse:/dev/fuse --cap-add=IPC_LOCK --cap-add=SYS_ADMIN keywhizfs -debug=true -ca=/go/src/github.com/square/keywhiz-fs/fixtures/cacert.crt -key=/go/src/github.com/square/keywhiz-fs/fixtures/client.pem https://localhost:443 /secrets/kwfs
ERROR kwfs_main[/secrets/kwfs]: 2015/08/04 05:53:41 Error starting syslog logging, continuing: Unix syslog delivery error
DEBUG kwfs_main[/secrets/kwfs]: 2015/08/04 05:53:41 Certificate file not specified, assuming certificate also in /go/src/github.com/square/keywhiz-fs/fixtures/client.pem
ERROR kwfs_client[/secrets/kwfs]: 2015/08/04 05:53:41 Error starting syslog logging, continuing: Unix syslog delivery error
ERROR kwfs[/secrets/kwfs]: 2015/08/04 05:53:41 Error starting syslog logging, continuing: Unix syslog delivery error
ERROR kwfs_cache[/secrets/kwfs]: 2015/08/04 05:53:41 Error starting syslog logging, continuing: Unix syslog delivery error
/bin/fusermount: mount failed: Permission denied
2015/08/04 05:53:41 Mount fail: fusermount exited with code 256

i'm running

uname -a
Linux -- 3.19.0-21-generic #21-Ubuntu SMP Sun Jun 14 18:31:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

docker info
Containers: 17
Images: 255
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 289
Dirperm1 Supported: true
Execution Driver: native-0.2
Kernel Version: 3.19.0-21-generic
Operating System: Ubuntu 15.04
CPUs: 8
Total Memory: 15.45 GiB
Registry: [https://index.docker.io/v1/]
WARNING: No swap limit support

also, i have uncommented user_allow_other in /etc/fuse.conf and added the current user to fuse group. i can view the /etc/fuse.conf with the user starting docker.

Thanks.

I'm trying to build the docker daemon and getting this error.
I looked at the call in main.go and it has the following signature:

return sqmetrics.NewMetrics(*metricsURL, prefix, metrics.DefaultRegistry)

But https://github.com/square/go-sq-metrics/blob/master/metrics.go shows the following definition:

func NewMetrics(metricsURL, metricsPrefix string, interval time.Duration, registry metrics.Registry) *SquareMetrics {

There aren't any docs in either project to indicate whether it is used or how, but using git blame, I can see that the new parameter was added a week ago in square/go-sq-metrics@d2f04d2 by @csstaub.

Looks like this project just needs to be updated as well?

• go get github.com/square/keywhiz-fs
• http://osxfuse.github.io/ for building on mac os X.

Some piece of software is complaining one of its secrets has an invalid link count, 0 != 1.

Seems like it's getting that from fstat. We should make sure link count is 1.

Found two more issues, and I'm going to give up at this point, but I wanted to offer a fix for as far as I got.

1. The docker_kwfs.sh script has two bugs:
   • The executable name should be /go/bin/keywhiz-fs as that is what is built
   • the asuser and group arguments are long options and need two hyphens rather than one.
2. The README.md instructs the user to run the container passing an argument '--debug=true'. This is an error and will cause the argument parser to mess up during parsing giving the error "keywhiz-fs: error: unexpected /secrets/kwfs, try --help"

The StatFs system call should be implemented. Nicer output would then be available when running df.

This project was created at the time of go 1.4. Since go 1.5, there is a recommended method of vendoring dependencies. We should switch to that.

E.g. ERROR kwfs_client[t]: 2016/02/09 14:08:10 Bad response code getting secrets: (status=404, msg='[60 104 ...]') instead of the actual string.

Secret and SecretList functions in client.go are used only by tests. Can they be removed and the tests rewritten to use RawSecret/RawSecretList instead?

./main https://localhost:4444/ random_dir ends up failing with

<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing //secrets. Reason:
<pre>    Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

</body>
</html>```

We should fix this in the server or client (or both?).