conjur icon indicating copy to clipboard operation
conjur copied to clipboard

Published 20 hours ago verified publisher icon cyberark

Conjur OSS cannot be restarted

Open orenbm opened this issue 5 years ago • 8 comments

We should find a way to restart the Conjur server so we can reload environment variables. This prevents users from adding new authentication methods to an existing server, to change log level and probably other effects.

At this point, killing the process of the conjur server doesn't close the workers properly and after a restart the logs aren't written to docker logs as before. We should: a. fix that - killing the process and re-running it should restart the server properly. b. find a better way to restart the server (add an option for the conjurctl script?)

After this is done, we should document this: a. In a section of its own b. In the logs page (if it is not available yet then create it with this base Confluence - Conjur Logs) c. In the "Whitelist the Authenticators" section in the docs: https://docs.conjur.org/Latest/en/Content/Operations/Services/authentication-types.htm#Whitelis d. In every authenticator page in the "enable authenticator" section.

orenbm avatar Aug 04 '19 07:08 orenbm

What i have done: I suggested a solution of recreating the conjur server container using docker-compose

TODO: investigate sgnn7 suggestions on slack

More info here

nessiLahav avatar May 19 '20 10:05 nessiLahav

@orenbm isn't this the wrong statement of the problem?

The problem is

When I deploy and configure Conjur with a given set of authenticators using the CONJUR_AUTHENTICATORS environment variable And some time later I want to update the allowed list of CONJUR_AUTHENTICATORS Then I have a documented method for updating the list of allowed authenticators

One method of doing this is having a clean way to restart the server (which will reload the variables, if I reset them). There may be other methods of doing this, and we should think creatively about how to create a good experience that resolves the problem statement I drafted above.

Separately, there is a current bug where killing the process of the conjur server doesn't close the workers properly and after a restart the logs aren't written to docker logs as before. That should be its own issue that we resolve.

izgeri avatar Jul 10 '20 14:07 izgeri

As containers are intended to be a single process, they don't support environment variable reloading. I agree with Ger's comment above. We should focus on enabling authenticators to be added without using environment variables so they can be updated without restarting the container.

jvanderhoof avatar Jul 10 '20 14:07 jvanderhoof

Yes! My problem statement still assumes the use of the env var - it may more generally be stated as

When I deploy and configure Conjur with a given set of allowed authenticators And some time later I want to update the list of allowed authenticators Then I have a working, documented method for updating the list of allowed authenticators

izgeri avatar Jul 10 '20 14:07 izgeri

thanks @izgeri . i can go with your definition but we should fix this for more env vars. For example, we need to have a way to reload the CONJUR_LOG_LEVEL as well.

orenbm avatar Jul 11 '20 10:07 orenbm

sure. it's really about revising the configuration once it's up and running, which could be solved any number of ways (but maybe most usefully by providing alternate ways to configure conjur beyond env vars)

izgeri avatar Jul 13 '20 18:07 izgeri

@eranha please see the discussion above.

orenbm avatar Jul 14 '20 07:07 orenbm

Just noting here that we now have documentation on how to update environment variables once Conjur is already deployed:

izgeri avatar Oct 14 '20 21:10 izgeri