set anon

Enable or disable anonymized mode for the current CLI session.

Description Jump to heading #

In anonymized mode, fields in command outputs that are considered sensitive or confidential are obscured with hashes. These hashes are designed to be consistent throughout output so that troubleshooters can trace data in output without viewing the underlying sensitive data.

A key for the hash function can be appended as in set anon on <key>. The key must be a 32-bit integer between 0 and 4294967295.

The hashes have a low enough bit count (24) to make them non-reversible due to the high number of possible matches. When anonymization is turned on, if no key is specified, the global key is used (either specified in the configuration file by anonkey or set via the CLI command set anon global-key). If no such key has been set, a random one is generated. It is useful to specify the key to be used for the current session, for example, to reuse the key that was used in a previous dump to help compare outputs.

The set anon command applies only to the current API session. Therefore, it has no effect unless combined with other commands in the same session.

Examples Jump to heading #

Enable anonymization for a show sess inline command, where the commands run once and then exit:

nix
echo "set anon on; show sess" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

nix
echo "set anon on; show sess" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

output
text
0x56295ad1dcb0: proto=tcpv4 src=3129d1:60985 fe=1d10c8 be=7c69ee srv=f908f6 
 ts=00 epoch=0x1 age=16s calls=3 rate=0 cpu=0 lat=0 rq[f=49c40000h,i=0,an=8000h,rx=,wx=,ax=] 
 rp[f=80400000h,i=0,an=1400000h,rx=4m55s,wx=,ax=] scf=[8,80h,fd=86] scb=[8,11h,fd=42] exp=4m55s rc=0 c_exp=

output
text
0x56295ad1dcb0: proto=tcpv4 src=3129d1:60985 fe=1d10c8 be=7c69ee srv=f908f6 
 ts=00 epoch=0x1 age=16s calls=3 rate=0 cpu=0 lat=0 rq[f=49c40000h,i=0,an=8000h,rx=,wx=,ax=] 
 rp[f=80400000h,i=0,an=1400000h,rx=4m55s,wx=,ax=] scf=[8,80h,fd=86] scb=[8,11h,fd=42] exp=4m55s rc=0 c_exp=

Enable anonymization in an interactive session:

1. Connect to the Runtime API socket:

   nix
   sudo socat stdio tcp4-connect:127.0.0.1:9999

   nix
   sudo socat stdio tcp4-connect:127.0.0.1:9999

2. Start an interactive session:

   nix
   prompt

   nix
   prompt

3. Try a command with anonymization off:

   nix
   show sess

   nix
   show sess

   output
   text
   0x56295ac7a100: proto=tcpv4 src=192.168.56.1:60950 fe=fe_main be=servers srv=web1 
    ts=00 epoch=0 age=4s calls=2 rate=0 cpu=0 lat=0 rq[f=49c40080h,i=0,an=8000h,rx=,wx=,ax=] 
    rp[f=80400000h,i=0,an=1400000h,rx=4m55s,wx=,ax=] scf=[8,80h,fd=23] scb=[8,11h,fd=57] exp=5s rc=0 c_exp=

   output
   text
   0x56295ac7a100: proto=tcpv4 src=192.168.56.1:60950 fe=fe_main be=servers srv=web1 
    ts=00 epoch=0 age=4s calls=2 rate=0 cpu=0 lat=0 rq[f=49c40080h,i=0,an=8000h,rx=,wx=,ax=] 
    rp[f=80400000h,i=0,an=1400000h,rx=4m55s,wx=,ax=] scf=[8,80h,fd=23] scb=[8,11h,fd=57] exp=5s rc=0 c_exp=

4. Enable anonymization.

   nix
   set anon on

   nix
   set anon on

5. Use a command that will now have its output anonymized.

   nix
   show sess

   nix
   show sess

   output
   text
   0x56295ad1dcb0: proto=tcpv4 src=3129d1:60985 fe=1d10c8 be=7c69ee srv=f908f6 
    ts=00 epoch=0x1 age=16s calls=3 rate=0 cpu=0 lat=0 rq[f=49c40000h,i=0,an=8000h,rx=,wx=,ax=] 
    rp[f=80400000h,i=0,an=1400000h,rx=4m55s,wx=,ax=] scf=[8,80h,fd=86] scb=[8,11h,fd=42] exp=4m55s rc=0 c_exp=

   output
   text
   0x56295ad1dcb0: proto=tcpv4 src=3129d1:60985 fe=1d10c8 be=7c69ee srv=f908f6 
    ts=00 epoch=0x1 age=16s calls=3 rate=0 cpu=0 lat=0 rq[f=49c40000h,i=0,an=8000h,rx=,wx=,ax=] 
    rp[f=80400000h,i=0,an=1400000h,rx=4m55s,wx=,ax=] scf=[8,80h,fd=86] scb=[8,11h,fd=42] exp=4m55s rc=0 c_exp=

See also Jump to heading #

• set anon global key
• show anon