2023-04-10 15:36:59 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
package jobspec
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2020-09-09 22:30:40 +00:00
|
|
|
"strings"
|
2019-08-09 19:18:53 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
multierror "github.com/hashicorp/go-multierror"
|
|
|
|
|
"github.com/hashicorp/hcl"
|
|
|
|
|
"github.com/hashicorp/hcl/hcl/ast"
|
|
|
|
|
"github.com/hashicorp/nomad/api"
|
2022-11-04 17:23:01 +00:00
|
|
|
"github.com/hashicorp/nomad/helper/pointer"
|
2019-08-09 19:18:53 +00:00
|
|
|
"github.com/mitchellh/mapstructure"
|
|
|
|
|
)
|
|
|
|
|
|
2020-04-10 03:01:16 +00:00
|
|
|
var (
|
2020-04-10 15:49:19 +00:00
|
|
|
commonTaskKeys = []string{
|
|
|
|
|
"driver",
|
|
|
|
|
"user",
|
2020-04-10 03:01:16 +00:00
|
|
|
"config",
|
2020-04-10 15:49:19 +00:00
|
|
|
"env",
|
|
|
|
|
"resources",
|
|
|
|
|
"meta",
|
|
|
|
|
"logs",
|
|
|
|
|
"kill_timeout",
|
|
|
|
|
"shutdown_delay",
|
|
|
|
|
"kill_signal",
|
2020-09-09 22:30:40 +00:00
|
|
|
"scaling",
|
2020-04-10 15:49:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
normalTaskKeys = append(commonTaskKeys,
|
|
|
|
|
"artifact",
|
2020-04-10 03:01:16 +00:00
|
|
|
"constraint",
|
|
|
|
|
"affinity",
|
|
|
|
|
"dispatch_payload",
|
2023-02-02 18:59:14 +00:00
|
|
|
"identity",
|
2020-04-10 03:01:16 +00:00
|
|
|
"lifecycle",
|
|
|
|
|
"leader",
|
|
|
|
|
"restart",
|
|
|
|
|
"service",
|
|
|
|
|
"template",
|
|
|
|
|
"vault",
|
|
|
|
|
"kind",
|
|
|
|
|
"volume_mount",
|
|
|
|
|
"csi_plugin",
|
2020-04-10 15:49:19 +00:00
|
|
|
)
|
2020-04-10 03:01:16 +00:00
|
|
|
|
2020-04-10 15:49:19 +00:00
|
|
|
sidecarTaskKeys = append(commonTaskKeys,
|
2020-04-10 03:01:16 +00:00
|
|
|
"name",
|
2020-04-10 15:49:19 +00:00
|
|
|
)
|
2020-04-10 03:01:16 +00:00
|
|
|
)
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
func parseTasks(result *[]*api.Task, list *ast.ObjectList) error {
|
|
|
|
|
list = list.Children()
|
|
|
|
|
if len(list.Items) == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Go through each object and turn it into an actual result.
|
|
|
|
|
seen := make(map[string]struct{})
|
|
|
|
|
for _, item := range list.Items {
|
|
|
|
|
n := item.Keys[0].Token.Value().(string)
|
|
|
|
|
|
|
|
|
|
// Make sure we haven't already found this
|
|
|
|
|
if _, ok := seen[n]; ok {
|
|
|
|
|
return fmt.Errorf("task '%s' defined more than once", n)
|
|
|
|
|
}
|
|
|
|
|
seen[n] = struct{}{}
|
|
|
|
|
|
2020-04-10 03:01:16 +00:00
|
|
|
t, err := parseTask(item, normalTaskKeys)
|
2019-08-09 19:18:53 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return multierror.Prefix(err, fmt.Sprintf("'%s',", n))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.Name = n
|
|
|
|
|
|
|
|
|
|
*result = append(*result, t)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-10 03:01:16 +00:00
|
|
|
func parseTask(item *ast.ObjectItem, keys []string) (*api.Task, error) {
|
2019-08-09 19:18:53 +00:00
|
|
|
// We need this later
|
|
|
|
|
var listVal *ast.ObjectList
|
|
|
|
|
if ot, ok := item.Val.(*ast.ObjectType); ok {
|
|
|
|
|
listVal = ot.List
|
|
|
|
|
} else {
|
|
|
|
|
return nil, fmt.Errorf("should be an object")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check for invalid keys
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(listVal, keys); err != nil {
|
2019-08-09 19:18:53 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, item.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
delete(m, "artifact")
|
|
|
|
|
delete(m, "config")
|
|
|
|
|
delete(m, "constraint")
|
|
|
|
|
delete(m, "affinity")
|
|
|
|
|
delete(m, "dispatch_payload")
|
2019-10-11 17:10:45 +00:00
|
|
|
delete(m, "lifecycle")
|
2019-08-09 19:18:53 +00:00
|
|
|
delete(m, "env")
|
2023-02-02 18:59:14 +00:00
|
|
|
delete(m, "identity")
|
2019-08-09 19:18:53 +00:00
|
|
|
delete(m, "logs")
|
|
|
|
|
delete(m, "meta")
|
|
|
|
|
delete(m, "resources")
|
2020-03-07 02:52:58 +00:00
|
|
|
delete(m, "restart")
|
2019-08-09 19:18:53 +00:00
|
|
|
delete(m, "service")
|
|
|
|
|
delete(m, "template")
|
|
|
|
|
delete(m, "vault")
|
2019-07-25 14:42:11 +00:00
|
|
|
delete(m, "volume_mount")
|
2019-10-22 13:20:26 +00:00
|
|
|
delete(m, "csi_plugin")
|
2020-09-09 22:30:40 +00:00
|
|
|
delete(m, "scaling")
|
2019-08-09 19:18:53 +00:00
|
|
|
|
|
|
|
|
// Build the task
|
|
|
|
|
var t api.Task
|
|
|
|
|
dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
|
|
|
|
|
DecodeHook: mapstructure.StringToTimeDurationHookFunc(),
|
|
|
|
|
WeaklyTypedInput: true,
|
|
|
|
|
Result: &t,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := dec.Decode(m); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If we have env, then parse them
|
|
|
|
|
if o := listVal.Filter("env"); len(o.Items) > 0 {
|
|
|
|
|
for _, o := range o.Elem().Items {
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := mapstructure.WeakDecode(m, &t.Env); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if o := listVal.Filter("service"); len(o.Items) > 0 {
|
|
|
|
|
services, err := parseServices(o)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.Services = services
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-22 13:20:26 +00:00
|
|
|
if o := listVal.Filter("csi_plugin"); len(o.Items) > 0 {
|
|
|
|
|
if len(o.Items) != 1 {
|
2023-01-30 14:48:43 +00:00
|
|
|
return nil, fmt.Errorf("csi_plugin -> Expected single block, got %d", len(o.Items))
|
2019-10-22 13:20:26 +00:00
|
|
|
}
|
|
|
|
|
i := o.Elem().Items[0]
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
2022-06-14 14:04:16 +00:00
|
|
|
var cfg api.TaskCSIPluginConfig
|
2019-10-22 13:20:26 +00:00
|
|
|
if err := hcl.DecodeObject(&m, i.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-14 14:04:16 +00:00
|
|
|
dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
|
|
|
|
|
DecodeHook: mapstructure.StringToTimeDurationHookFunc(),
|
|
|
|
|
WeaklyTypedInput: true,
|
|
|
|
|
Result: &cfg,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := dec.Decode(m); err != nil {
|
2019-10-22 13:20:26 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.CSIPluginConfig = &cfg
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
// If we have config, then parse that
|
|
|
|
|
if o := listVal.Filter("config"); len(o.Items) > 0 {
|
|
|
|
|
for _, o := range o.Elem().Items {
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := mapstructure.WeakDecode(m, &t.Config); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse constraints
|
|
|
|
|
if o := listVal.Filter("constraint"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseConstraints(&t.Constraints, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "constraint ->")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse affinities
|
|
|
|
|
if o := listVal.Filter("affinity"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseAffinities(&t.Affinities, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "affinity ->")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse out meta fields. These are in HCL as a list so we need
|
|
|
|
|
// to iterate over them and merge them.
|
|
|
|
|
if metaO := listVal.Filter("meta"); len(metaO.Items) > 0 {
|
|
|
|
|
for _, o := range metaO.Elem().Items {
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := mapstructure.WeakDecode(m, &t.Meta); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-25 14:42:11 +00:00
|
|
|
// Parse volume mounts
|
|
|
|
|
if o := listVal.Filter("volume_mount"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseVolumeMounts(&t.VolumeMounts, o); err != nil {
|
2019-08-12 13:41:14 +00:00
|
|
|
return nil, multierror.Prefix(err, "volume_mount ->")
|
2019-07-25 14:42:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
// If we have resources, then parse that
|
|
|
|
|
if o := listVal.Filter("resources"); len(o.Items) > 0 {
|
|
|
|
|
var r api.Resources
|
|
|
|
|
if err := parseResources(&r, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "resources ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.Resources = &r
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-07 02:52:58 +00:00
|
|
|
// Parse restart policy
|
|
|
|
|
if o := listVal.Filter("restart"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseRestartPolicy(&t.RestartPolicy, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "restart ->")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
// If we have logs then parse that
|
|
|
|
|
if o := listVal.Filter("logs"); len(o.Items) > 0 {
|
|
|
|
|
if len(o.Items) > 1 {
|
|
|
|
|
return nil, fmt.Errorf("only one logs block is allowed in a Task. Number of logs block found: %d", len(o.Items))
|
|
|
|
|
}
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
logsBlock := o.Items[0]
|
|
|
|
|
|
|
|
|
|
// Check for invalid keys
|
|
|
|
|
valid := []string{
|
|
|
|
|
"max_files",
|
|
|
|
|
"max_file_size",
|
2023-05-04 20:01:18 +00:00
|
|
|
"enabled", // COMPAT(1.6.0): remove in favor of disabled
|
|
|
|
|
"disabled",
|
2019-08-09 19:18:53 +00:00
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(logsBlock.Val, valid); err != nil {
|
2019-08-09 19:18:53 +00:00
|
|
|
return nil, multierror.Prefix(err, "logs ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := hcl.DecodeObject(&m, logsBlock.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var log api.LogConfig
|
|
|
|
|
if err := mapstructure.WeakDecode(m, &log); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.LogConfig = &log
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse artifacts
|
|
|
|
|
if o := listVal.Filter("artifact"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseArtifacts(&t.Artifacts, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "artifact ->")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-02 18:59:14 +00:00
|
|
|
// Parse identity
|
|
|
|
|
if o := listVal.Filter("identity"); len(o.Items) > 0 {
|
|
|
|
|
v := &api.WorkloadIdentity{}
|
|
|
|
|
if err := parseIdentity(v, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "identity ->")
|
|
|
|
|
}
|
|
|
|
|
t.Identity = v
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
// Parse templates
|
|
|
|
|
if o := listVal.Filter("template"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseTemplates(&t.Templates, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "template ->")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-09 22:30:40 +00:00
|
|
|
// Parse scaling policies
|
|
|
|
|
if o := listVal.Filter("scaling"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseTaskScalingPolicies(&t.ScalingPolicies, o); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
// If we have a vault block, then parse that
|
|
|
|
|
if o := listVal.Filter("vault"); len(o.Items) > 0 {
|
|
|
|
|
v := &api.Vault{
|
Add `disable_file` parameter to job's `vault` stanza (#13343)
This complements the `env` parameter, so that the operator can author
tasks that don't share their Vault token with the workload when using
`image` filesystem isolation. As a result, more powerful tokens can be used
in a job definition, allowing it to use template stanzas to issue all kinds of
secrets (database secrets, Vault tokens with very specific policies, etc.),
without sharing that issuing power with the task itself.
This is accomplished by creating a directory called `private` within
the task's working directory, which shares many properties of
the `secrets` directory (tmpfs where possible, not accessible by
`nomad alloc fs` or Nomad's web UI), but isn't mounted into/bound to the
container.
If the `disable_file` parameter is set to `false` (its default), the Vault token
is also written to the NOMAD_SECRETS_DIR, so the default behavior is
backwards compatible. Even if the operator never changes the default,
they will still benefit from the improved behavior of Nomad never reading
the token back in from that - potentially altered - location.
2023-06-23 19:15:04 +00:00
|
|
|
Env: boolToPtr(true),
|
|
|
|
|
DisableFile: boolToPtr(false),
|
|
|
|
|
ChangeMode: stringToPtr("restart"),
|
2019-08-09 19:18:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := parseVault(v, o); err != nil {
|
|
|
|
|
return nil, multierror.Prefix(err, "vault ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.Vault = v
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If we have a dispatch_payload block parse that
|
|
|
|
|
if o := listVal.Filter("dispatch_payload"); len(o.Items) > 0 {
|
|
|
|
|
if len(o.Items) > 1 {
|
|
|
|
|
return nil, fmt.Errorf("only one dispatch_payload block is allowed in a task. Number of dispatch_payload blocks found: %d", len(o.Items))
|
|
|
|
|
}
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
dispatchBlock := o.Items[0]
|
|
|
|
|
|
|
|
|
|
// Check for invalid keys
|
|
|
|
|
valid := []string{
|
|
|
|
|
"file",
|
|
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(dispatchBlock.Val, valid); err != nil {
|
2019-08-09 19:18:53 +00:00
|
|
|
return nil, multierror.Prefix(err, "dispatch_payload ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := hcl.DecodeObject(&m, dispatchBlock.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.DispatchPayload = &api.DispatchPayloadConfig{}
|
|
|
|
|
if err := mapstructure.WeakDecode(m, t.DispatchPayload); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-11 17:10:45 +00:00
|
|
|
// If we have a lifecycle block parse that
|
|
|
|
|
if o := listVal.Filter("lifecycle"); len(o.Items) > 0 {
|
|
|
|
|
if len(o.Items) > 1 {
|
|
|
|
|
return nil, fmt.Errorf("only one lifecycle block is allowed in a task. Number of lifecycle blocks found: %d", len(o.Items))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
lifecycleBlock := o.Items[0]
|
|
|
|
|
|
|
|
|
|
// Check for invalid keys
|
|
|
|
|
valid := []string{
|
2019-12-02 20:45:33 +00:00
|
|
|
"hook",
|
2020-03-02 19:12:16 +00:00
|
|
|
"sidecar",
|
2019-10-11 17:10:45 +00:00
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(lifecycleBlock.Val, valid); err != nil {
|
2019-10-11 17:10:45 +00:00
|
|
|
return nil, multierror.Prefix(err, "lifecycle ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := hcl.DecodeObject(&m, lifecycleBlock.Val); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.Lifecycle = &api.TaskLifecycle{}
|
2020-01-30 20:05:07 +00:00
|
|
|
if err := mapstructure.WeakDecode(m, t.Lifecycle); err != nil {
|
2019-10-11 17:10:45 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-08-09 19:18:53 +00:00
|
|
|
return &t, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseArtifacts(result *[]*api.TaskArtifact, list *ast.ObjectList) error {
|
|
|
|
|
for _, o := range list.Elem().Items {
|
|
|
|
|
// Check for invalid keys
|
|
|
|
|
valid := []string{
|
|
|
|
|
"source",
|
|
|
|
|
"options",
|
2022-09-27 16:18:49 +00:00
|
|
|
"headers",
|
2019-08-09 19:18:53 +00:00
|
|
|
"mode",
|
|
|
|
|
"destination",
|
|
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(o.Val, valid); err != nil {
|
2019-08-09 19:18:53 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete(m, "options")
|
|
|
|
|
|
|
|
|
|
var ta api.TaskArtifact
|
|
|
|
|
if err := mapstructure.WeakDecode(m, &ta); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var optionList *ast.ObjectList
|
|
|
|
|
if ot, ok := o.Val.(*ast.ObjectType); ok {
|
|
|
|
|
optionList = ot.List
|
|
|
|
|
} else {
|
|
|
|
|
return fmt.Errorf("artifact should be an object")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if oo := optionList.Filter("options"); len(oo.Items) > 0 {
|
|
|
|
|
options := make(map[string]string)
|
|
|
|
|
if err := parseArtifactOption(options, oo); err != nil {
|
|
|
|
|
return multierror.Prefix(err, "options: ")
|
|
|
|
|
}
|
|
|
|
|
ta.GetterOptions = options
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*result = append(*result, &ta)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseArtifactOption(result map[string]string, list *ast.ObjectList) error {
|
|
|
|
|
list = list.Elem()
|
|
|
|
|
if len(list.Items) > 1 {
|
|
|
|
|
return fmt.Errorf("only one 'options' block allowed per artifact")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get our resource object
|
|
|
|
|
o := list.Items[0]
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := mapstructure.WeakDecode(m, &result); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseTemplates(result *[]*api.Template, list *ast.ObjectList) error {
|
|
|
|
|
for _, o := range list.Elem().Items {
|
2022-08-24 15:43:01 +00:00
|
|
|
// we'll need a list of all ast objects for later
|
|
|
|
|
var listVal *ast.ObjectList
|
|
|
|
|
if ot, ok := o.Val.(*ast.ObjectType); ok {
|
|
|
|
|
listVal = ot.List
|
|
|
|
|
} else {
|
|
|
|
|
return fmt.Errorf("should be an object")
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
// Check for invalid keys
|
|
|
|
|
valid := []string{
|
|
|
|
|
"change_mode",
|
|
|
|
|
"change_signal",
|
2022-08-24 15:43:01 +00:00
|
|
|
"change_script",
|
2019-08-09 19:18:53 +00:00
|
|
|
"data",
|
|
|
|
|
"destination",
|
|
|
|
|
"left_delimiter",
|
|
|
|
|
"perms",
|
2022-08-02 20:15:38 +00:00
|
|
|
"uid",
|
|
|
|
|
"gid",
|
2019-08-09 19:18:53 +00:00
|
|
|
"right_delimiter",
|
|
|
|
|
"source",
|
|
|
|
|
"splay",
|
|
|
|
|
"env",
|
2020-02-17 17:39:47 +00:00
|
|
|
"vault_grace", //COMPAT(0.12) not used; emits warning in 0.11.
|
2022-11-04 17:23:01 +00:00
|
|
|
"wait",
|
|
|
|
|
"error_on_missing_key",
|
2019-08-09 19:18:53 +00:00
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(o.Val, valid); err != nil {
|
2019-08-09 19:18:53 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-08-24 15:43:01 +00:00
|
|
|
delete(m, "change_script") // change_script is its own object
|
2019-08-09 19:18:53 +00:00
|
|
|
|
|
|
|
|
templ := &api.Template{
|
2022-11-04 17:23:01 +00:00
|
|
|
ChangeMode: stringToPtr("restart"),
|
|
|
|
|
Splay: timeToPtr(5 * time.Second),
|
|
|
|
|
Perms: stringToPtr("0644"),
|
|
|
|
|
Uid: pointer.Of(-1),
|
|
|
|
|
Gid: pointer.Of(-1),
|
|
|
|
|
ErrMissingKey: pointer.Of(false),
|
2019-08-09 19:18:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
|
|
|
|
|
DecodeHook: mapstructure.StringToTimeDurationHookFunc(),
|
|
|
|
|
WeaklyTypedInput: true,
|
|
|
|
|
Result: templ,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := dec.Decode(m); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-24 15:43:01 +00:00
|
|
|
// If we have change_script, parse it
|
|
|
|
|
if o := listVal.Filter("change_script"); len(o.Items) > 0 {
|
|
|
|
|
if len(o.Items) != 1 {
|
|
|
|
|
return fmt.Errorf(
|
2023-01-30 14:48:43 +00:00
|
|
|
"change_script -> expected single block, got %d", len(o.Items),
|
2022-08-24 15:43:01 +00:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
changeScriptBlock := o.Items[0]
|
|
|
|
|
|
|
|
|
|
// check for invalid fields
|
|
|
|
|
valid := []string{"command", "args", "timeout", "fail_on_error"}
|
|
|
|
|
if err := checkHCLKeys(changeScriptBlock.Val, valid); err != nil {
|
|
|
|
|
return multierror.Prefix(err, "change_script ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := hcl.DecodeObject(&m, changeScriptBlock.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
templ.ChangeScript = &api.ChangeScript{}
|
|
|
|
|
dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
|
|
|
|
|
DecodeHook: mapstructure.StringToTimeDurationHookFunc(),
|
|
|
|
|
WeaklyTypedInput: true,
|
|
|
|
|
Result: templ.ChangeScript,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := dec.Decode(m); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
*result = append(*result, templ)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-09 22:30:40 +00:00
|
|
|
func parseTaskScalingPolicies(result *[]*api.ScalingPolicy, list *ast.ObjectList) error {
|
|
|
|
|
if len(list.Items) == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
errPrefix := "scaling ->"
|
|
|
|
|
// Go through each object and turn it into an actual result.
|
|
|
|
|
seen := make(map[string]bool)
|
|
|
|
|
for _, item := range list.Items {
|
|
|
|
|
if l := len(item.Keys); l == 0 {
|
|
|
|
|
return multierror.Prefix(fmt.Errorf("task scaling policy missing name"), errPrefix)
|
|
|
|
|
} else if l > 1 {
|
|
|
|
|
return multierror.Prefix(fmt.Errorf("task scaling policy should only have one name"), errPrefix)
|
|
|
|
|
}
|
|
|
|
|
n := item.Keys[0].Token.Value().(string)
|
|
|
|
|
errPrefix = fmt.Sprintf("scaling[%v] ->", n)
|
|
|
|
|
|
|
|
|
|
var policyType string
|
|
|
|
|
switch strings.ToLower(n) {
|
|
|
|
|
case "cpu":
|
|
|
|
|
policyType = "vertical_cpu"
|
|
|
|
|
case "mem":
|
|
|
|
|
policyType = "vertical_mem"
|
|
|
|
|
default:
|
|
|
|
|
return multierror.Prefix(fmt.Errorf(`scaling policy name must be "cpu" or "mem"`), errPrefix)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Make sure we haven't already found this
|
|
|
|
|
if seen[n] {
|
|
|
|
|
return multierror.Prefix(fmt.Errorf("scaling policy cannot be defined more than once"), errPrefix)
|
|
|
|
|
}
|
|
|
|
|
seen[n] = true
|
|
|
|
|
|
|
|
|
|
p, err := parseScalingPolicy(item)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return multierror.Prefix(err, errPrefix)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if p.Type == "" {
|
|
|
|
|
p.Type = policyType
|
|
|
|
|
} else if p.Type != policyType {
|
|
|
|
|
return multierror.Prefix(fmt.Errorf("policy had invalid 'type': %q", p.Type), errPrefix)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*result = append(*result, p)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:18:53 +00:00
|
|
|
func parseResources(result *api.Resources, list *ast.ObjectList) error {
|
|
|
|
|
list = list.Elem()
|
|
|
|
|
if len(list.Items) == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
if len(list.Items) > 1 {
|
|
|
|
|
return fmt.Errorf("only one 'resource' block allowed per task")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get our resource object
|
|
|
|
|
o := list.Items[0]
|
|
|
|
|
|
|
|
|
|
// We need this later
|
|
|
|
|
var listVal *ast.ObjectList
|
|
|
|
|
if ot, ok := o.Val.(*ast.ObjectType); ok {
|
|
|
|
|
listVal = ot.List
|
|
|
|
|
} else {
|
|
|
|
|
return fmt.Errorf("resource: should be an object")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check for invalid keys
|
|
|
|
|
valid := []string{
|
|
|
|
|
"cpu",
|
|
|
|
|
"iops", // COMPAT(0.10): Remove after one release to allow it to be removed from jobspecs
|
|
|
|
|
"disk",
|
|
|
|
|
"memory",
|
2021-03-26 20:11:26 +00:00
|
|
|
"memory_max",
|
2019-08-09 19:18:53 +00:00
|
|
|
"network",
|
|
|
|
|
"device",
|
2021-07-26 15:25:28 +00:00
|
|
|
"cores",
|
2019-08-09 19:18:53 +00:00
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(listVal, valid); err != nil {
|
2019-08-09 19:18:53 +00:00
|
|
|
return multierror.Prefix(err, "resources ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
delete(m, "network")
|
|
|
|
|
delete(m, "device")
|
|
|
|
|
|
|
|
|
|
if err := mapstructure.WeakDecode(m, result); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse the network resources
|
|
|
|
|
if o := listVal.Filter("network"); len(o.Items) > 0 {
|
2019-10-24 14:41:54 +00:00
|
|
|
r, err := ParseNetwork(o)
|
2019-08-09 19:18:53 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("resource, %v", err)
|
|
|
|
|
}
|
|
|
|
|
result.Networks = []*api.NetworkResource{r}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse the device resources
|
|
|
|
|
if o := listVal.Filter("device"); len(o.Items) > 0 {
|
|
|
|
|
result.Devices = make([]*api.RequestedDevice, len(o.Items))
|
|
|
|
|
for idx, do := range o.Items {
|
|
|
|
|
if l := len(do.Keys); l == 0 {
|
|
|
|
|
return multierror.Prefix(fmt.Errorf("missing device name"), fmt.Sprintf("resources, device[%d]->", idx))
|
|
|
|
|
} else if l > 1 {
|
|
|
|
|
return multierror.Prefix(fmt.Errorf("only one name may be specified"), fmt.Sprintf("resources, device[%d]->", idx))
|
|
|
|
|
}
|
|
|
|
|
name := do.Keys[0].Token.Value().(string)
|
|
|
|
|
|
|
|
|
|
// Value should be an object
|
|
|
|
|
var listVal *ast.ObjectList
|
|
|
|
|
if ot, ok := do.Val.(*ast.ObjectType); ok {
|
|
|
|
|
listVal = ot.List
|
|
|
|
|
} else {
|
|
|
|
|
return fmt.Errorf("device should be an object")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check for invalid keys
|
|
|
|
|
valid := []string{
|
|
|
|
|
"name",
|
|
|
|
|
"count",
|
|
|
|
|
"affinity",
|
|
|
|
|
"constraint",
|
|
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(do.Val, valid); err != nil {
|
2019-08-09 19:18:53 +00:00
|
|
|
return multierror.Prefix(err, fmt.Sprintf("resources, device[%d]->", idx))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set the name
|
|
|
|
|
var r api.RequestedDevice
|
|
|
|
|
r.Name = name
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, do.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
delete(m, "constraint")
|
|
|
|
|
delete(m, "affinity")
|
|
|
|
|
|
|
|
|
|
if err := mapstructure.WeakDecode(m, &r); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse constraints
|
|
|
|
|
if o := listVal.Filter("constraint"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseConstraints(&r.Constraints, o); err != nil {
|
|
|
|
|
return multierror.Prefix(err, "constraint ->")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse affinities
|
|
|
|
|
if o := listVal.Filter("affinity"); len(o.Items) > 0 {
|
|
|
|
|
if err := parseAffinities(&r.Affinities, o); err != nil {
|
|
|
|
|
return multierror.Prefix(err, "affinity ->")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Devices[idx] = &r
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2019-07-25 14:42:11 +00:00
|
|
|
|
|
|
|
|
func parseVolumeMounts(out *[]*api.VolumeMount, list *ast.ObjectList) error {
|
|
|
|
|
mounts := make([]*api.VolumeMount, len(list.Items))
|
|
|
|
|
|
|
|
|
|
for i, item := range list.Items {
|
|
|
|
|
valid := []string{
|
|
|
|
|
"volume",
|
|
|
|
|
"read_only",
|
|
|
|
|
"destination",
|
volumes: Add support for mount propagation
This commit introduces support for configuring mount propagation when
mounting volumes with the `volume_mount` stanza on Linux targets.
Similar to Kubernetes, we expose 3 options for configuring mount
propagation:
- private, which is equivalent to `rprivate` on Linux, which does not allow the
container to see any new nested mounts after the chroot was created.
- host-to-task, which is equivalent to `rslave` on Linux, which allows new mounts
that have been created _outside of the container_ to be visible
inside the container after the chroot is created.
- bidirectional, which is equivalent to `rshared` on Linux, which allows both
the container to see new mounts created on the host, but
importantly _allows the container to create mounts that are
visible in other containers an don the host_
private and host-to-task are safe, but bidirectional mounts can be
dangerous, as if the code inside a container creates a mount, and does
not clean it up before tearing down the container, it can cause bad
things to happen inside the kernel.
To add a layer of safety here, we require that the user has ReadWrite
permissions on the volume before allowing bidirectional mounts, as a
defense in depth / validation case, although creating mounts should also require
a priviliged execution environment inside the container.
2019-09-13 21:13:20 +00:00
|
|
|
"propagation_mode",
|
2019-07-25 14:42:11 +00:00
|
|
|
}
|
2020-09-03 11:34:04 +00:00
|
|
|
if err := checkHCLKeys(item.Val, valid); err != nil {
|
2019-07-25 14:42:11 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, item.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var result api.VolumeMount
|
|
|
|
|
dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
|
|
|
|
|
WeaklyTypedInput: true,
|
|
|
|
|
Result: &result,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := dec.Decode(m); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mounts[i] = &result
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*out = mounts
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2023-02-02 18:59:14 +00:00
|
|
|
|
|
|
|
|
func parseIdentity(out *api.WorkloadIdentity, list *ast.ObjectList) error {
|
|
|
|
|
list = list.Elem()
|
|
|
|
|
if len(list.Items) == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
if len(list.Items) > 1 {
|
|
|
|
|
return fmt.Errorf("only one 'identity' block allowed per task")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
o := list.Items[0]
|
|
|
|
|
var listVal *ast.ObjectList
|
|
|
|
|
if ot, ok := o.Val.(*ast.ObjectType); ok {
|
|
|
|
|
listVal = ot.List
|
|
|
|
|
} else {
|
|
|
|
|
return fmt.Errorf("identity: should be an object")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
valid := []string{
|
|
|
|
|
"env",
|
|
|
|
|
"file",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := checkHCLKeys(listVal, valid); err != nil {
|
|
|
|
|
return multierror.Prefix(err, "identity ->")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var m map[string]interface{}
|
|
|
|
|
if err := hcl.DecodeObject(&m, o.Val); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := mapstructure.WeakDecode(m, out); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|