Merge pull request #7149 from th0m/tlefebvre/no-pivot-root

client: support no_pivot_root in exec driver configuration
2020-02-19 12:18:51 -06:00 · 2020-02-19 12:18:51 -06:00 · 07943f95a4
parent 21b119cdb0 84baa950ce
commit 07943f95a4
9 changed files with 163 additions and 78 deletions
--- a/drivers/exec/driver.go
+++ b/drivers/exec/driver.go
@ -59,7 +59,12 @@ var (
 	}

 	// configSpec is the hcl specification returned by the ConfigSchema RPC
-	configSpec = hclspec.NewObject(map[string]*hclspec.Spec{})
+	configSpec = hclspec.NewObject(map[string]*hclspec.Spec{
+		"no_pivot_root": hclspec.NewDefault(
+			hclspec.NewAttr("no_pivot_root", "bool", false),
+			hclspec.NewLiteral("false"),
+		),
+	})

 	// taskConfigSpec is the hcl specification for the driver config section of
 	// a task within a job. It is returned in the TaskConfigSchema RPC
@ -88,6 +93,9 @@ type Driver struct {
 	// event can be broadcast to all callers
 	eventer *eventer.Eventer

+	// config is the driver configuration set by the SetConfig RPC
+	config Config
+
 	// nomadConfig is the client config from nomad
 	nomadConfig *base.ClientDriverConfig

@ -111,6 +119,13 @@ type Driver struct {
 	fingerprintLock    sync.Mutex
 }

+// Config is the driver configuration set by the SetConfig RPC call
+type Config struct {
+	// NoPivotRoot disables the use of pivot_root, useful when the root partition
+	// is on ramdisk
+	NoPivotRoot bool `codec:"no_pivot_root"`
+}
+
 // TaskConfig is the driver configuration of a task within a job
 type TaskConfig struct {
 	Command string   `codec:"command"`
@ -171,6 +186,14 @@ func (d *Driver) ConfigSchema() (*hclspec.Spec, error) {
 }

 func (d *Driver) SetConfig(cfg *base.Config) error {
+	var config Config
+	if len(cfg.PluginConfig) != 0 {
+		if err := base.MsgPackDecode(cfg.PluginConfig, &config); err != nil {
+			return err
+		}
+	}
+
+	d.config = config
 	if cfg != nil && cfg.AgentConfig != nil {
 		d.nomadConfig = cfg.AgentConfig.Driver
 	}
@ -352,6 +375,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		Env:              cfg.EnvList(),
 		User:             user,
 		ResourceLimits:   true,
+		NoPivotRoot:      d.config.NoPivotRoot,
 		Resources:        cfg.Resources,
 		TaskDir:          cfg.TaskDir().Dir,
 		StdoutPath:       cfg.StdoutPath,
--- a/drivers/exec/driver_test.go
+++ b/drivers/exec/driver_test.go
@ -22,6 +22,7 @@ import (
 	"github.com/hashicorp/nomad/helper/testtask"
 	"github.com/hashicorp/nomad/helper/uuid"
 	"github.com/hashicorp/nomad/nomad/structs"
+	basePlug "github.com/hashicorp/nomad/plugins/base"
 	"github.com/hashicorp/nomad/plugins/drivers"
 	dtestutil "github.com/hashicorp/nomad/plugins/drivers/testutils"
 	"github.com/hashicorp/nomad/testutil"
@ -671,3 +672,36 @@ config {

 	require.EqualValues(t, expected, tc)
 }
+
+func TestExecDriver_NoPivotRoot(t *testing.T) {
+	t.Parallel()
+	require := require.New(t)
+	ctestutils.ExecCompatible(t)
+
+	d := NewExecDriver(testlog.HCLogger(t))
+	harness := dtestutil.NewDriverHarness(t, d)
+
+	config := &Config{NoPivotRoot: true}
+	var data []byte
+	require.NoError(basePlug.MsgPackEncode(&data, config))
+	bconfig := &basePlug.Config{PluginConfig: data}
+	require.NoError(harness.SetConfig(bconfig))
+
+	task := &drivers.TaskConfig{
+		ID:        uuid.Generate(),
+		Name:      "sleep",
+		Resources: testResources,
+	}
+	cleanup := harness.MkAllocDir(task, false)
+	defer cleanup()
+
+	tc := &TaskConfig{
+		Command: "/bin/sleep",
+		Args:    []string{"100"},
+	}
+	require.NoError(task.EncodeConcreteDriverConfig(&tc))
+
+	handle, _, err := harness.StartTask(task)
+	require.NoError(err)
+	require.NotNil(handle)
+}
--- a/drivers/shared/executor/client.go
+++ b/drivers/shared/executor/client.go
@ -41,6 +41,7 @@ func (c *grpcExecutorClient) Launch(cmd *ExecCommand) (*ProcessState, error) {
 		TaskDir:            cmd.TaskDir,
 		ResourceLimits:     cmd.ResourceLimits,
 		BasicProcessCgroup: cmd.BasicProcessCgroup,
+		NoPivotRoot:        cmd.NoPivotRoot,
 		Mounts:             drivers.MountsToProto(cmd.Mounts),
 		Devices:            drivers.DevicesToProto(cmd.Devices),
 		NetworkIsolation:   drivers.NetworkIsolationSpecToProto(cmd.NetworkIsolation),
--- a/drivers/shared/executor/executor.go
+++ b/drivers/shared/executor/executor.go
@ -121,6 +121,11 @@ type ExecCommand struct {
 	// Using the cgroup does allow more precise cleanup of processes.
 	BasicProcessCgroup bool

+	// NoPivotRoot disables using pivot_root for isolation, useful when the root
+	// partition is on a ramdisk which does not support pivot_root,
+	// see man 2 pivot_root
+	NoPivotRoot bool
+
 	// Mounts are the host paths to be be made available inside rootfs
 	Mounts []*drivers.MountConfig

--- a/drivers/shared/executor/executor_linux.go
+++ b/drivers/shared/executor/executor_linux.go
@ -573,6 +573,9 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 	// set the new root directory for the container
 	cfg.Rootfs = command.TaskDir

+	// disable pivot_root if set in the driver's configuration
+	cfg.NoPivotRoot = command.NoPivotRoot
+
 	// launch with mount namespace
 	cfg.Namespaces = lconfigs.Namespaces{
 		{Type: lconfigs.NEWNS},
--- a/drivers/shared/executor/proto/executor.pb.go
+++ b/drivers/shared/executor/proto/executor.pb.go
@ -39,6 +39,7 @@ type LaunchRequest struct {
 	Mounts               []*proto1.Mount              `protobuf:"bytes,11,rep,name=mounts,proto3" json:"mounts,omitempty"`
 	Devices              []*proto1.Device             `protobuf:"bytes,12,rep,name=devices,proto3" json:"devices,omitempty"`
 	NetworkIsolation     *proto1.NetworkIsolationSpec `protobuf:"bytes,13,opt,name=network_isolation,json=networkIsolation,proto3" json:"network_isolation,omitempty"`
+	NoPivotRoot          bool                         `protobuf:"varint,14,opt,name=no_pivot_root,json=noPivotRoot,proto3" json:"no_pivot_root,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}                     `json:"-"`
 	XXX_unrecognized     []byte                       `json:"-"`
 	XXX_sizecache        int32                        `json:"-"`
@ -48,7 +49,7 @@ func (m *LaunchRequest) Reset()         { *m = LaunchRequest{} }
 func (m *LaunchRequest) String() string { return proto.CompactTextString(m) }
 func (*LaunchRequest) ProtoMessage()    {}
 func (*LaunchRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{0}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{0}
 }
 func (m *LaunchRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_LaunchRequest.Unmarshal(m, b)
@ -159,6 +160,13 @@ func (m *LaunchRequest) GetNetworkIsolation() *proto1.NetworkIsolationSpec {
 	return nil
 }

+func (m *LaunchRequest) GetNoPivotRoot() bool {
+	if m != nil {
+		return m.NoPivotRoot
+	}
+	return false
+}
+
 type LaunchResponse struct {
 	Process              *ProcessState `protobuf:"bytes,1,opt,name=process,proto3" json:"process,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
@ -170,7 +178,7 @@ func (m *LaunchResponse) Reset()         { *m = LaunchResponse{} }
 func (m *LaunchResponse) String() string { return proto.CompactTextString(m) }
 func (*LaunchResponse) ProtoMessage()    {}
 func (*LaunchResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{1}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{1}
 }
 func (m *LaunchResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_LaunchResponse.Unmarshal(m, b)
@ -207,7 +215,7 @@ func (m *WaitRequest) Reset()         { *m = WaitRequest{} }
 func (m *WaitRequest) String() string { return proto.CompactTextString(m) }
 func (*WaitRequest) ProtoMessage()    {}
 func (*WaitRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{2}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{2}
 }
 func (m *WaitRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_WaitRequest.Unmarshal(m, b)
@ -238,7 +246,7 @@ func (m *WaitResponse) Reset()         { *m = WaitResponse{} }
 func (m *WaitResponse) String() string { return proto.CompactTextString(m) }
 func (*WaitResponse) ProtoMessage()    {}
 func (*WaitResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{3}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{3}
 }
 func (m *WaitResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_WaitResponse.Unmarshal(m, b)
@ -277,7 +285,7 @@ func (m *ShutdownRequest) Reset()         { *m = ShutdownRequest{} }
 func (m *ShutdownRequest) String() string { return proto.CompactTextString(m) }
 func (*ShutdownRequest) ProtoMessage()    {}
 func (*ShutdownRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{4}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{4}
 }
 func (m *ShutdownRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ShutdownRequest.Unmarshal(m, b)
@ -321,7 +329,7 @@ func (m *ShutdownResponse) Reset()         { *m = ShutdownResponse{} }
 func (m *ShutdownResponse) String() string { return proto.CompactTextString(m) }
 func (*ShutdownResponse) ProtoMessage()    {}
 func (*ShutdownResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{5}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{5}
 }
 func (m *ShutdownResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ShutdownResponse.Unmarshal(m, b)
@ -352,7 +360,7 @@ func (m *UpdateResourcesRequest) Reset()         { *m = UpdateResourcesRequest{}
 func (m *UpdateResourcesRequest) String() string { return proto.CompactTextString(m) }
 func (*UpdateResourcesRequest) ProtoMessage()    {}
 func (*UpdateResourcesRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{6}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{6}
 }
 func (m *UpdateResourcesRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_UpdateResourcesRequest.Unmarshal(m, b)
@ -389,7 +397,7 @@ func (m *UpdateResourcesResponse) Reset()         { *m = UpdateResourcesResponse
 func (m *UpdateResourcesResponse) String() string { return proto.CompactTextString(m) }
 func (*UpdateResourcesResponse) ProtoMessage()    {}
 func (*UpdateResourcesResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{7}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{7}
 }
 func (m *UpdateResourcesResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_UpdateResourcesResponse.Unmarshal(m, b)
@ -419,7 +427,7 @@ func (m *VersionRequest) Reset()         { *m = VersionRequest{} }
 func (m *VersionRequest) String() string { return proto.CompactTextString(m) }
 func (*VersionRequest) ProtoMessage()    {}
 func (*VersionRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{8}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{8}
 }
 func (m *VersionRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_VersionRequest.Unmarshal(m, b)
@ -450,7 +458,7 @@ func (m *VersionResponse) Reset()         { *m = VersionResponse{} }
 func (m *VersionResponse) String() string { return proto.CompactTextString(m) }
 func (*VersionResponse) ProtoMessage()    {}
 func (*VersionResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{9}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{9}
 }
 func (m *VersionResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_VersionResponse.Unmarshal(m, b)
@ -488,7 +496,7 @@ func (m *StatsRequest) Reset()         { *m = StatsRequest{} }
 func (m *StatsRequest) String() string { return proto.CompactTextString(m) }
 func (*StatsRequest) ProtoMessage()    {}
 func (*StatsRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{10}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{10}
 }
 func (m *StatsRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_StatsRequest.Unmarshal(m, b)
@ -526,7 +534,7 @@ func (m *StatsResponse) Reset()         { *m = StatsResponse{} }
 func (m *StatsResponse) String() string { return proto.CompactTextString(m) }
 func (*StatsResponse) ProtoMessage()    {}
 func (*StatsResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{11}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{11}
 }
 func (m *StatsResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_StatsResponse.Unmarshal(m, b)
@ -564,7 +572,7 @@ func (m *SignalRequest) Reset()         { *m = SignalRequest{} }
 func (m *SignalRequest) String() string { return proto.CompactTextString(m) }
 func (*SignalRequest) ProtoMessage()    {}
 func (*SignalRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{12}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{12}
 }
 func (m *SignalRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_SignalRequest.Unmarshal(m, b)
@ -601,7 +609,7 @@ func (m *SignalResponse) Reset()         { *m = SignalResponse{} }
 func (m *SignalResponse) String() string { return proto.CompactTextString(m) }
 func (*SignalResponse) ProtoMessage()    {}
 func (*SignalResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{13}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{13}
 }
 func (m *SignalResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_SignalResponse.Unmarshal(m, b)
@ -634,7 +642,7 @@ func (m *ExecRequest) Reset()         { *m = ExecRequest{} }
 func (m *ExecRequest) String() string { return proto.CompactTextString(m) }
 func (*ExecRequest) ProtoMessage()    {}
 func (*ExecRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{14}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{14}
 }
 func (m *ExecRequest) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ExecRequest.Unmarshal(m, b)
@ -687,7 +695,7 @@ func (m *ExecResponse) Reset()         { *m = ExecResponse{} }
 func (m *ExecResponse) String() string { return proto.CompactTextString(m) }
 func (*ExecResponse) ProtoMessage()    {}
 func (*ExecResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{15}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{15}
 }
 func (m *ExecResponse) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ExecResponse.Unmarshal(m, b)
@ -735,7 +743,7 @@ func (m *ProcessState) Reset()         { *m = ProcessState{} }
 func (m *ProcessState) String() string { return proto.CompactTextString(m) }
 func (*ProcessState) ProtoMessage()    {}
 func (*ProcessState) Descriptor() ([]byte, []int) {
-	return fileDescriptor_executor_43dc81e71868eb7b, []int{16}
+	return fileDescriptor_executor_cd718424b22c7ed3, []int{16}
 }
 func (m *ProcessState) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ProcessState.Unmarshal(m, b)
@ -1200,69 +1208,71 @@ var _Executor_serviceDesc = grpc.ServiceDesc{
 }

 func init() {
-	proto.RegisterFile("drivers/shared/executor/proto/executor.proto", fileDescriptor_executor_43dc81e71868eb7b)
+	proto.RegisterFile("drivers/shared/executor/proto/executor.proto", fileDescriptor_executor_cd718424b22c7ed3)
 }

-var fileDescriptor_executor_43dc81e71868eb7b = []byte{
-	// 955 bytes of a gzipped FileDescriptorProto
+var fileDescriptor_executor_cd718424b22c7ed3 = []byte{
+	// 977 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x5b, 0x6f, 0x1b, 0x45,
 	0x14, 0xee, 0xc6, 0xf1, 0xed, 0xd8, 0x4e, 0xcc, 0x08, 0x85, 0xad, 0x79, 0xa8, 0xd9, 0x07, 0x6a,
 	0x41, 0x59, 0x47, 0xe9, 0x0d, 0x09, 0x41, 0x11, 0x49, 0x41, 0x48, 0x21, 0x8a, 0xd6, 0x85, 0x4a,
-	0x3c, 0x60, 0x26, 0xbb, 0xc3, 0xee, 0x28, 0xf6, 0xce, 0x32, 0x33, 0xeb, 0x06, 0x09, 0x89, 0x27,
-	0xfe, 0x01, 0x48, 0xfc, 0x38, 0x7e, 0x0c, 0x9a, 0xdb, 0xc6, 0x4e, 0x4b, 0xb5, 0x2e, 0xe2, 0xc9,
-	0x33, 0x67, 0xcf, 0xf7, 0x9d, 0xcb, 0x9c, 0xf3, 0x19, 0xee, 0x25, 0x9c, 0xae, 0x08, 0x17, 0x53,
-	0x91, 0x61, 0x4e, 0x92, 0x29, 0xb9, 0x22, 0x71, 0x29, 0x19, 0x9f, 0x16, 0x9c, 0x49, 0x56, 0x5d,
-	0x43, 0x7d, 0x45, 0xef, 0x67, 0x58, 0x64, 0x34, 0x66, 0xbc, 0x08, 0x73, 0xb6, 0xc4, 0x49, 0x58,
-	0x2c, 0xca, 0x94, 0xe6, 0x22, 0xdc, 0xf4, 0x1b, 0xdd, 0x49, 0x19, 0x4b, 0x17, 0xc4, 0x90, 0x5c,
-	0x94, 0x3f, 0x4d, 0x25, 0x5d, 0x12, 0x21, 0xf1, 0xb2, 0xb0, 0x0e, 0x9f, 0xa6, 0x54, 0x66, 0xe5,
-	0x45, 0x18, 0xb3, 0xe5, 0xb4, 0xe2, 0x9c, 0x6a, 0xce, 0xa9, 0xe5, 0x9c, 0xba, 0xcc, 0x4c, 0x26,
-	0xe6, 0x66, 0xe0, 0xc1, 0xdf, 0xbb, 0x30, 0x38, 0xc5, 0x65, 0x1e, 0x67, 0x11, 0xf9, 0xb9, 0x24,
-	0x42, 0xa2, 0x21, 0x34, 0xe2, 0x65, 0xe2, 0x7b, 0x63, 0x6f, 0xd2, 0x8d, 0xd4, 0x11, 0x21, 0xd8,
-	0xc5, 0x3c, 0x15, 0xfe, 0xce, 0xb8, 0x31, 0xe9, 0x46, 0xfa, 0x8c, 0xce, 0xa0, 0xcb, 0x89, 0x60,
-	0x25, 0x8f, 0x89, 0xf0, 0x1b, 0x63, 0x6f, 0xd2, 0x3b, 0x3a, 0x0c, 0xff, 0xad, 0x26, 0x1b, 0xdf,
-	0x84, 0x0c, 0x23, 0x87, 0x8b, 0xae, 0x29, 0xd0, 0x1d, 0xe8, 0x09, 0x99, 0xb0, 0x52, 0xce, 0x0b,
-	0x2c, 0x33, 0x7f, 0x57, 0x47, 0x07, 0x63, 0x3a, 0xc7, 0x32, 0xb3, 0x0e, 0x84, 0x73, 0xe3, 0xd0,
-	0xac, 0x1c, 0x08, 0xe7, 0xda, 0x61, 0x08, 0x0d, 0x92, 0xaf, 0xfc, 0x96, 0x4e, 0x52, 0x1d, 0x55,
-	0xde, 0xa5, 0x20, 0xdc, 0x6f, 0x6b, 0x5f, 0x7d, 0x46, 0xb7, 0xa1, 0x23, 0xb1, 0xb8, 0x9c, 0x27,
-	0x94, 0xfb, 0x1d, 0x6d, 0x6f, 0xab, 0xfb, 0x09, 0xe5, 0xe8, 0x2e, 0xec, 0xbb, 0x7c, 0xe6, 0x0b,
-	0xba, 0xa4, 0x52, 0xf8, 0xdd, 0xb1, 0x37, 0xe9, 0x44, 0x7b, 0xce, 0x7c, 0xaa, 0xad, 0xe8, 0x10,
-	0xde, 0xbe, 0xc0, 0x82, 0xc6, 0xf3, 0x82, 0xb3, 0x98, 0x08, 0x31, 0x8f, 0x53, 0xce, 0xca, 0xc2,
-	0x07, 0xed, 0x8d, 0xf4, 0xb7, 0x73, 0xf3, 0xe9, 0x58, 0x7f, 0x41, 0x27, 0xd0, 0x5a, 0xb2, 0x32,
-	0x97, 0xc2, 0xef, 0x8d, 0x1b, 0x93, 0xde, 0xd1, 0xbd, 0x9a, 0xad, 0xfa, 0x46, 0x81, 0x22, 0x8b,
-	0x45, 0x5f, 0x41, 0x3b, 0x21, 0x2b, 0xaa, 0x3a, 0xde, 0xd7, 0x34, 0x1f, 0xd5, 0xa4, 0x39, 0xd1,
-	0xa8, 0xc8, 0xa1, 0x51, 0x06, 0x6f, 0xe5, 0x44, 0xbe, 0x60, 0xfc, 0x72, 0x4e, 0x05, 0x5b, 0x60,
-	0x49, 0x59, 0xee, 0x0f, 0xf4, 0x23, 0x7e, 0x52, 0x93, 0xf2, 0xcc, 0xe0, 0xbf, 0x76, 0xf0, 0x59,
-	0x41, 0xe2, 0x68, 0x98, 0xdf, 0xb0, 0x06, 0x3f, 0xc2, 0x9e, 0x9b, 0x2e, 0x51, 0xb0, 0x5c, 0x10,
-	0x74, 0x06, 0x6d, 0xdb, 0x36, 0x3d, 0x62, 0xbd, 0xa3, 0x07, 0x61, 0xbd, 0x55, 0x08, 0x6d, 0x4b,
-	0x67, 0x12, 0x4b, 0x12, 0x39, 0x92, 0x60, 0x00, 0xbd, 0xe7, 0x98, 0x4a, 0x3b, 0xbd, 0xc1, 0x0f,
-	0xd0, 0x37, 0xd7, 0xff, 0x29, 0xdc, 0x29, 0xec, 0xcf, 0xb2, 0x52, 0x26, 0xec, 0x45, 0xee, 0x16,
-	0xe6, 0x00, 0x5a, 0x82, 0xa6, 0x39, 0x5e, 0xd8, 0x9d, 0xb1, 0x37, 0xf4, 0x1e, 0xf4, 0x53, 0x8e,
-	0x63, 0x32, 0x2f, 0x08, 0xa7, 0x2c, 0xf1, 0x77, 0xc6, 0xde, 0xa4, 0x11, 0xf5, 0xb4, 0xed, 0x5c,
-	0x9b, 0x02, 0x04, 0xc3, 0x6b, 0x36, 0x93, 0x71, 0x90, 0xc1, 0xc1, 0xb7, 0x45, 0xa2, 0x82, 0x56,
-	0x7b, 0x62, 0x03, 0x6d, 0xec, 0x9c, 0xf7, 0x9f, 0x77, 0x2e, 0xb8, 0x0d, 0xef, 0xbc, 0x14, 0xc9,
-	0x26, 0x31, 0x84, 0xbd, 0xef, 0x08, 0x17, 0x94, 0xb9, 0x2a, 0x83, 0x0f, 0x61, 0xbf, 0xb2, 0xd8,
-	0xde, 0xfa, 0xd0, 0x5e, 0x19, 0x93, 0xad, 0xdc, 0x5d, 0x83, 0x0f, 0xa0, 0xaf, 0xfa, 0x56, 0x65,
-	0x3e, 0x82, 0x0e, 0xcd, 0x25, 0xe1, 0x2b, 0xdb, 0xa4, 0x46, 0x54, 0xdd, 0x83, 0xe7, 0x30, 0xb0,
-	0xbe, 0x96, 0xf6, 0x4b, 0x68, 0x0a, 0x65, 0xd8, 0xb2, 0xc4, 0x67, 0x58, 0x5c, 0x1a, 0x22, 0x03,
-	0x0f, 0xee, 0xc2, 0x60, 0xa6, 0x5f, 0xe2, 0xd5, 0x0f, 0xd5, 0x74, 0x0f, 0xa5, 0x8a, 0x75, 0x8e,
-	0xb6, 0xfc, 0x4b, 0xe8, 0x3d, 0xbd, 0x22, 0xb1, 0x03, 0x3e, 0x82, 0x4e, 0x42, 0x70, 0xb2, 0xa0,
-	0x39, 0xb1, 0x49, 0x8d, 0x42, 0xa3, 0xcb, 0xa1, 0xd3, 0xe5, 0xf0, 0x99, 0xd3, 0xe5, 0xa8, 0xf2,
-	0x75, 0x52, 0xba, 0xf3, 0xb2, 0x94, 0x36, 0xae, 0xa5, 0x34, 0x38, 0x86, 0xbe, 0x09, 0x66, 0xeb,
-	0x3f, 0x80, 0x16, 0x2b, 0x65, 0x51, 0x4a, 0x1d, 0xab, 0x1f, 0xd9, 0x1b, 0x7a, 0x17, 0xba, 0xe4,
-	0x8a, 0xca, 0x79, 0xcc, 0x12, 0xa2, 0x39, 0x9b, 0x51, 0x47, 0x19, 0x8e, 0x59, 0x42, 0x82, 0xdf,
-	0x3d, 0xe8, 0xaf, 0x4f, 0xac, 0x8a, 0x5d, 0xd0, 0xc4, 0x56, 0xaa, 0x8e, 0xaf, 0xc5, 0xaf, 0xf5,
-	0xa6, 0xb1, 0xde, 0x1b, 0x14, 0xc2, 0xae, 0xfa, 0xc7, 0xd1, 0x82, 0xfc, 0xfa, 0xb2, 0xb5, 0xdf,
-	0xd1, 0x9f, 0x5d, 0xe8, 0x3c, 0xb5, 0x8b, 0x84, 0x7e, 0x81, 0x96, 0xd9, 0x7e, 0xf4, 0xb0, 0xee,
-	0xd6, 0x6d, 0xfc, 0x17, 0x8d, 0x1e, 0x6d, 0x0b, 0xb3, 0xef, 0x77, 0x0b, 0x09, 0xd8, 0x55, 0x3a,
-	0x80, 0xee, 0xd7, 0x65, 0x58, 0x13, 0x91, 0xd1, 0x83, 0xed, 0x40, 0x55, 0xd0, 0xdf, 0xa0, 0xe3,
-	0xd6, 0x19, 0x3d, 0xae, 0xcb, 0x71, 0x43, 0x4e, 0x46, 0x1f, 0x6f, 0x0f, 0xac, 0x12, 0xf8, 0xc3,
-	0x83, 0xfd, 0x1b, 0x2b, 0x8d, 0x3e, 0xab, 0xcb, 0xf7, 0x6a, 0xd5, 0x19, 0x3d, 0x79, 0x63, 0x7c,
-	0x95, 0xd6, 0xaf, 0xd0, 0xb6, 0xda, 0x81, 0x6a, 0xbf, 0xe8, 0xa6, 0xfc, 0x8c, 0x1e, 0x6f, 0x8d,
-	0xab, 0xa2, 0x5f, 0x41, 0x53, 0xeb, 0x02, 0xaa, 0xfd, 0xac, 0xeb, 0xda, 0x35, 0x7a, 0xb8, 0x25,
-	0xca, 0xc5, 0x3d, 0xf4, 0xd4, 0xfc, 0x1b, 0x61, 0xa9, 0x3f, 0xff, 0x1b, 0x8a, 0x55, 0x7f, 0xfe,
-	0x6f, 0xe8, 0x97, 0x9e, 0x7f, 0xb5, 0x86, 0xf5, 0xe7, 0x7f, 0x4d, 0xef, 0xea, 0xcf, 0xff, 0xba,
-	0x6e, 0x05, 0xb7, 0xd0, 0x5f, 0x1e, 0x0c, 0x94, 0x69, 0x26, 0x39, 0xc1, 0x4b, 0x9a, 0xa7, 0xe8,
-	0x49, 0x4d, 0xf1, 0x56, 0x28, 0x23, 0xe0, 0x16, 0xe9, 0x52, 0xf9, 0xfc, 0xcd, 0x09, 0x5c, 0x5a,
-	0x13, 0xef, 0xd0, 0xfb, 0xa2, 0xfd, 0x7d, 0xd3, 0x68, 0x56, 0x4b, 0xff, 0xdc, 0xff, 0x27, 0x00,
-	0x00, 0xff, 0xff, 0xad, 0xfe, 0x69, 0xb2, 0xaf, 0x0b, 0x00, 0x00,
+	0x3c, 0xb0, 0x4c, 0x76, 0x07, 0xef, 0x28, 0xf6, 0xce, 0x32, 0x33, 0xeb, 0x06, 0x09, 0x09, 0x5e,
+	0xf8, 0x07, 0x20, 0xf1, 0x73, 0xd1, 0xdc, 0x36, 0x76, 0x5a, 0xaa, 0x75, 0x11, 0x4f, 0x9e, 0x39,
+	0x7b, 0xbe, 0xef, 0x5c, 0xe6, 0x9c, 0xcf, 0x70, 0x2f, 0xe5, 0x74, 0x45, 0xb8, 0x98, 0x8a, 0x0c,
+	0x73, 0x92, 0x4e, 0xc9, 0x15, 0x49, 0x4a, 0xc9, 0xf8, 0xb4, 0xe0, 0x4c, 0xb2, 0xea, 0x1a, 0xea,
+	0x2b, 0x7a, 0x3f, 0xc3, 0x22, 0xa3, 0x09, 0xe3, 0x45, 0x98, 0xb3, 0x25, 0x4e, 0xc3, 0x62, 0x51,
+	0xce, 0x69, 0x2e, 0xc2, 0x4d, 0xbf, 0xd1, 0x9d, 0x39, 0x63, 0xf3, 0x05, 0x31, 0x24, 0x17, 0xe5,
+	0x4f, 0x53, 0x49, 0x97, 0x44, 0x48, 0xbc, 0x2c, 0xac, 0xc3, 0xa7, 0x73, 0x2a, 0xb3, 0xf2, 0x22,
+	0x4c, 0xd8, 0x72, 0x5a, 0x71, 0x4e, 0x35, 0xe7, 0xd4, 0x72, 0x4e, 0x5d, 0x66, 0x26, 0x13, 0x73,
+	0x33, 0xf0, 0xe0, 0xf7, 0x26, 0x0c, 0x4e, 0x71, 0x99, 0x27, 0x59, 0x44, 0x7e, 0x2e, 0x89, 0x90,
+	0x68, 0x08, 0x8d, 0x64, 0x99, 0xfa, 0xde, 0xd8, 0x9b, 0x74, 0x23, 0x75, 0x44, 0x08, 0x76, 0x31,
+	0x9f, 0x0b, 0x7f, 0x67, 0xdc, 0x98, 0x74, 0x23, 0x7d, 0x46, 0x67, 0xd0, 0xe5, 0x44, 0xb0, 0x92,
+	0x27, 0x44, 0xf8, 0x8d, 0xb1, 0x37, 0xe9, 0x1d, 0x1d, 0x86, 0xff, 0x56, 0x93, 0x8d, 0x6f, 0x42,
+	0x86, 0x91, 0xc3, 0x45, 0xd7, 0x14, 0xe8, 0x0e, 0xf4, 0x84, 0x4c, 0x59, 0x29, 0xe3, 0x02, 0xcb,
+	0xcc, 0xdf, 0xd5, 0xd1, 0xc1, 0x98, 0xce, 0xb1, 0xcc, 0xac, 0x03, 0xe1, 0xdc, 0x38, 0x34, 0x2b,
+	0x07, 0xc2, 0xb9, 0x76, 0x18, 0x42, 0x83, 0xe4, 0x2b, 0xbf, 0xa5, 0x93, 0x54, 0x47, 0x95, 0x77,
+	0x29, 0x08, 0xf7, 0xdb, 0xda, 0x57, 0x9f, 0xd1, 0x6d, 0xe8, 0x48, 0x2c, 0x2e, 0xe3, 0x94, 0x72,
+	0xbf, 0xa3, 0xed, 0x6d, 0x75, 0x3f, 0xa1, 0x1c, 0xdd, 0x85, 0x7d, 0x97, 0x4f, 0xbc, 0xa0, 0x4b,
+	0x2a, 0x85, 0xdf, 0x1d, 0x7b, 0x93, 0x4e, 0xb4, 0xe7, 0xcc, 0xa7, 0xda, 0x8a, 0x0e, 0xe1, 0xed,
+	0x0b, 0x2c, 0x68, 0x12, 0x17, 0x9c, 0x25, 0x44, 0x88, 0x38, 0x99, 0x73, 0x56, 0x16, 0x3e, 0x68,
+	0x6f, 0xa4, 0xbf, 0x9d, 0x9b, 0x4f, 0xc7, 0xfa, 0x0b, 0x3a, 0x81, 0xd6, 0x92, 0x95, 0xb9, 0x14,
+	0x7e, 0x6f, 0xdc, 0x98, 0xf4, 0x8e, 0xee, 0xd5, 0x6c, 0xd5, 0x37, 0x0a, 0x14, 0x59, 0x2c, 0xfa,
+	0x0a, 0xda, 0x29, 0x59, 0x51, 0xd5, 0xf1, 0xbe, 0xa6, 0xf9, 0xa8, 0x26, 0xcd, 0x89, 0x46, 0x45,
+	0x0e, 0x8d, 0x32, 0x78, 0x2b, 0x27, 0xf2, 0x05, 0xe3, 0x97, 0x31, 0x15, 0x6c, 0x81, 0x25, 0x65,
+	0xb9, 0x3f, 0xd0, 0x8f, 0xf8, 0x49, 0x4d, 0xca, 0x33, 0x83, 0xff, 0xda, 0xc1, 0x67, 0x05, 0x49,
+	0xa2, 0x61, 0x7e, 0xc3, 0x8a, 0x02, 0x18, 0xe4, 0x2c, 0x2e, 0xe8, 0x8a, 0xc9, 0x98, 0x33, 0x26,
+	0xfd, 0x3d, 0xdd, 0xa3, 0x5e, 0xce, 0xce, 0x95, 0x2d, 0x62, 0x4c, 0x06, 0x3f, 0xc2, 0x9e, 0x9b,
+	0x40, 0x51, 0xb0, 0x5c, 0x10, 0x74, 0x06, 0x6d, 0xdb, 0x5a, 0x3d, 0x86, 0xbd, 0xa3, 0x07, 0x61,
+	0xbd, 0x75, 0x09, 0x6d, 0xdb, 0x67, 0x12, 0x4b, 0x12, 0x39, 0x92, 0x60, 0x00, 0xbd, 0xe7, 0x98,
+	0x4a, 0x3b, 0xe1, 0xc1, 0x0f, 0xd0, 0x37, 0xd7, 0xff, 0x29, 0xdc, 0x29, 0xec, 0xcf, 0xb2, 0x52,
+	0xa6, 0xec, 0x45, 0xee, 0x96, 0xea, 0x00, 0x5a, 0x82, 0xce, 0x73, 0xbc, 0xb0, 0x7b, 0x65, 0x6f,
+	0xe8, 0x3d, 0xe8, 0xcf, 0x39, 0x4e, 0x48, 0x5c, 0x10, 0x4e, 0x59, 0xea, 0xef, 0x8c, 0xbd, 0x49,
+	0x23, 0xea, 0x69, 0xdb, 0xb9, 0x36, 0x05, 0x08, 0x86, 0xd7, 0x6c, 0x26, 0xe3, 0x20, 0x83, 0x83,
+	0x6f, 0x8b, 0x54, 0x05, 0xad, 0x76, 0xc9, 0x06, 0xda, 0xd8, 0x4b, 0xef, 0x3f, 0xef, 0x65, 0x70,
+	0x1b, 0xde, 0x79, 0x29, 0x92, 0x4d, 0x62, 0x08, 0x7b, 0xdf, 0x11, 0x2e, 0x28, 0x73, 0x55, 0x06,
+	0x1f, 0xc2, 0x7e, 0x65, 0xb1, 0xbd, 0xf5, 0xa1, 0xbd, 0x32, 0x26, 0x5b, 0xb9, 0xbb, 0x06, 0x1f,
+	0x40, 0x5f, 0xf5, 0xad, 0xca, 0x7c, 0x04, 0x1d, 0x9a, 0x4b, 0xc2, 0x57, 0xb6, 0x49, 0x8d, 0xa8,
+	0xba, 0x07, 0xcf, 0x61, 0x60, 0x7d, 0x2d, 0xed, 0x97, 0xd0, 0x14, 0xca, 0xb0, 0x65, 0x89, 0xcf,
+	0xb0, 0xb8, 0x34, 0x44, 0x06, 0x1e, 0xdc, 0x85, 0xc1, 0x4c, 0xbf, 0xc4, 0xab, 0x1f, 0xaa, 0xe9,
+	0x1e, 0x4a, 0x15, 0xeb, 0x1c, 0x6d, 0xf9, 0x97, 0xd0, 0x7b, 0x7a, 0x45, 0x12, 0x07, 0x7c, 0x04,
+	0x9d, 0x94, 0xe0, 0x74, 0x41, 0x73, 0x62, 0x93, 0x1a, 0x85, 0x46, 0xbb, 0x43, 0xa7, 0xdd, 0xe1,
+	0x33, 0xa7, 0xdd, 0x51, 0xe5, 0xeb, 0xe4, 0x76, 0xe7, 0x65, 0xb9, 0x6d, 0x5c, 0xcb, 0x6d, 0x70,
+	0x0c, 0x7d, 0x13, 0xcc, 0xd6, 0x7f, 0x00, 0x2d, 0x56, 0xca, 0xa2, 0x94, 0x3a, 0x56, 0x3f, 0xb2,
+	0x37, 0xf4, 0x2e, 0x74, 0xc9, 0x15, 0x95, 0x71, 0xc2, 0x52, 0xa2, 0x39, 0x9b, 0x51, 0x47, 0x19,
+	0x8e, 0x59, 0x4a, 0x82, 0x3f, 0x3c, 0xe8, 0xaf, 0x4f, 0xac, 0x8a, 0x5d, 0xd0, 0xd4, 0x56, 0xaa,
+	0x8e, 0xaf, 0xc5, 0xaf, 0xf5, 0xa6, 0xb1, 0xde, 0x1b, 0x14, 0xc2, 0xae, 0xfa, 0x57, 0xd2, 0xa2,
+	0xfd, 0xfa, 0xb2, 0xb5, 0xdf, 0xd1, 0x5f, 0x5d, 0xe8, 0x3c, 0xb5, 0x8b, 0x84, 0x7e, 0x81, 0x96,
+	0xd9, 0x7e, 0xf4, 0xb0, 0xee, 0xd6, 0x6d, 0xfc, 0x5f, 0x8d, 0x1e, 0x6d, 0x0b, 0xb3, 0xef, 0x77,
+	0x0b, 0x09, 0xd8, 0x55, 0x3a, 0x80, 0xee, 0xd7, 0x65, 0x58, 0x13, 0x91, 0xd1, 0x83, 0xed, 0x40,
+	0x55, 0xd0, 0xdf, 0xa0, 0xe3, 0xd6, 0x19, 0x3d, 0xae, 0xcb, 0x71, 0x43, 0x4e, 0x46, 0x1f, 0x6f,
+	0x0f, 0xac, 0x12, 0xf8, 0xd3, 0x83, 0xfd, 0x1b, 0x2b, 0x8d, 0x3e, 0xab, 0xcb, 0xf7, 0x6a, 0xd5,
+	0x19, 0x3d, 0x79, 0x63, 0x7c, 0x95, 0xd6, 0xaf, 0xd0, 0xb6, 0xda, 0x81, 0x6a, 0xbf, 0xe8, 0xa6,
+	0xfc, 0x8c, 0x1e, 0x6f, 0x8d, 0xab, 0xa2, 0x5f, 0x41, 0x53, 0xeb, 0x02, 0xaa, 0xfd, 0xac, 0xeb,
+	0xda, 0x35, 0x7a, 0xb8, 0x25, 0xca, 0xc5, 0x3d, 0xf4, 0xd4, 0xfc, 0x1b, 0x61, 0xa9, 0x3f, 0xff,
+	0x1b, 0x8a, 0x55, 0x7f, 0xfe, 0x6f, 0xe8, 0x97, 0x9e, 0x7f, 0xb5, 0x86, 0xf5, 0xe7, 0x7f, 0x4d,
+	0xef, 0xea, 0xcf, 0xff, 0xba, 0x6e, 0x05, 0xb7, 0xd0, 0xdf, 0x1e, 0x0c, 0x94, 0x69, 0x26, 0x39,
+	0xc1, 0x4b, 0x9a, 0xcf, 0xd1, 0x93, 0x9a, 0xe2, 0xad, 0x50, 0x46, 0xc0, 0x2d, 0xd2, 0xa5, 0xf2,
+	0xf9, 0x9b, 0x13, 0xb8, 0xb4, 0x26, 0xde, 0xa1, 0xf7, 0x45, 0xfb, 0xfb, 0xa6, 0xd1, 0xac, 0x96,
+	0xfe, 0xb9, 0xff, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xe4, 0xda, 0xad, 0xd5, 0xd3, 0x0b, 0x00,
+	0x00,
 }
--- a/drivers/shared/executor/proto/executor.proto
+++ b/drivers/shared/executor/proto/executor.proto
@ -31,6 +31,7 @@ message LaunchRequest {
    repeated hashicorp.nomad.plugins.drivers.proto.Mount mounts = 11;
    repeated hashicorp.nomad.plugins.drivers.proto.Device devices = 12;
    hashicorp.nomad.plugins.drivers.proto.NetworkIsolationSpec network_isolation = 13;
+    bool no_pivot_root = 14;
 }

 message LaunchResponse {
--- a/drivers/shared/executor/server.go
+++ b/drivers/shared/executor/server.go
@ -31,6 +31,7 @@ func (s *grpcExecutorServer) Launch(ctx context.Context, req *proto.LaunchReques
 		TaskDir:            req.TaskDir,
 		ResourceLimits:     req.ResourceLimits,
 		BasicProcessCgroup: req.BasicProcessCgroup,
+		NoPivotRoot:        req.NoPivotRoot,
 		Mounts:             drivers.MountsFromProto(req.Mounts),
 		Devices:            drivers.DevicesFromProto(req.Devices),
 		NetworkIsolation:   drivers.NetworkIsolationSpecFromProto(req.NetworkIsolation),
--- a/website/pages/docs/drivers/exec.mdx
+++ b/website/pages/docs/drivers/exec.mdx
@ -93,6 +93,12 @@ If you are receiving the error:
 and using the exec driver, check to ensure that you are running Nomad as root.
 This also applies for running Nomad in -dev mode.

+## Plugin Options
+
+* `no_pivot_root` - Defaults to `false`. When `true`, the driver uses `chroot`
+  for file system isolation without `pivot_root`. This is useful for systems
+  where the root is on a ramdisk.
+
 ## Client Attributes

 The `exec` driver will set the following client attributes: