diff --git a/drivers/exec/driver.go b/drivers/exec/driver.go index 6c0bf7c99..8d8b46e23 100644 --- a/drivers/exec/driver.go +++ b/drivers/exec/driver.go @@ -59,7 +59,12 @@ var ( } // configSpec is the hcl specification returned by the ConfigSchema RPC - configSpec = hclspec.NewObject(map[string]*hclspec.Spec{}) + configSpec = hclspec.NewObject(map[string]*hclspec.Spec{ + "no_pivot_root": hclspec.NewDefault( + hclspec.NewAttr("no_pivot_root", "bool", false), + hclspec.NewLiteral("false"), + ), + }) // taskConfigSpec is the hcl specification for the driver config section of // a task within a job. It is returned in the TaskConfigSchema RPC @@ -88,6 +93,9 @@ type Driver struct { // event can be broadcast to all callers eventer *eventer.Eventer + // config is the driver configuration set by the SetConfig RPC + config Config + // nomadConfig is the client config from nomad nomadConfig *base.ClientDriverConfig @@ -111,6 +119,13 @@ type Driver struct { fingerprintLock sync.Mutex } +// Config is the driver configuration set by the SetConfig RPC call +type Config struct { + // NoPivotRoot disables the use of pivot_root, useful when the root partition + // is on ramdisk + NoPivotRoot bool `codec:"no_pivot_root"` +} + // TaskConfig is the driver configuration of a task within a job type TaskConfig struct { Command string `codec:"command"` @@ -171,6 +186,14 @@ func (d *Driver) ConfigSchema() (*hclspec.Spec, error) { } func (d *Driver) SetConfig(cfg *base.Config) error { + var config Config + if len(cfg.PluginConfig) != 0 { + if err := base.MsgPackDecode(cfg.PluginConfig, &config); err != nil { + return err + } + } + + d.config = config if cfg != nil && cfg.AgentConfig != nil { d.nomadConfig = cfg.AgentConfig.Driver } @@ -352,6 +375,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive Env: cfg.EnvList(), User: user, ResourceLimits: true, + NoPivotRoot: d.config.NoPivotRoot, Resources: cfg.Resources, TaskDir: cfg.TaskDir().Dir, StdoutPath: cfg.StdoutPath, diff --git a/drivers/exec/driver_test.go b/drivers/exec/driver_test.go index 747fac647..de1138e32 100644 --- a/drivers/exec/driver_test.go +++ b/drivers/exec/driver_test.go @@ -22,6 +22,7 @@ import ( "github.com/hashicorp/nomad/helper/testtask" "github.com/hashicorp/nomad/helper/uuid" "github.com/hashicorp/nomad/nomad/structs" + basePlug "github.com/hashicorp/nomad/plugins/base" "github.com/hashicorp/nomad/plugins/drivers" dtestutil "github.com/hashicorp/nomad/plugins/drivers/testutils" "github.com/hashicorp/nomad/testutil" @@ -671,3 +672,36 @@ config { require.EqualValues(t, expected, tc) } + +func TestExecDriver_NoPivotRoot(t *testing.T) { + t.Parallel() + require := require.New(t) + ctestutils.ExecCompatible(t) + + d := NewExecDriver(testlog.HCLogger(t)) + harness := dtestutil.NewDriverHarness(t, d) + + config := &Config{NoPivotRoot: true} + var data []byte + require.NoError(basePlug.MsgPackEncode(&data, config)) + bconfig := &basePlug.Config{PluginConfig: data} + require.NoError(harness.SetConfig(bconfig)) + + task := &drivers.TaskConfig{ + ID: uuid.Generate(), + Name: "sleep", + Resources: testResources, + } + cleanup := harness.MkAllocDir(task, false) + defer cleanup() + + tc := &TaskConfig{ + Command: "/bin/sleep", + Args: []string{"100"}, + } + require.NoError(task.EncodeConcreteDriverConfig(&tc)) + + handle, _, err := harness.StartTask(task) + require.NoError(err) + require.NotNil(handle) +} diff --git a/drivers/shared/executor/client.go b/drivers/shared/executor/client.go index 057518e1f..8271e008e 100644 --- a/drivers/shared/executor/client.go +++ b/drivers/shared/executor/client.go @@ -41,6 +41,7 @@ func (c *grpcExecutorClient) Launch(cmd *ExecCommand) (*ProcessState, error) { TaskDir: cmd.TaskDir, ResourceLimits: cmd.ResourceLimits, BasicProcessCgroup: cmd.BasicProcessCgroup, + NoPivotRoot: cmd.NoPivotRoot, Mounts: drivers.MountsToProto(cmd.Mounts), Devices: drivers.DevicesToProto(cmd.Devices), NetworkIsolation: drivers.NetworkIsolationSpecToProto(cmd.NetworkIsolation), diff --git a/drivers/shared/executor/executor.go b/drivers/shared/executor/executor.go index 84c6f8225..15a41bbce 100644 --- a/drivers/shared/executor/executor.go +++ b/drivers/shared/executor/executor.go @@ -121,6 +121,11 @@ type ExecCommand struct { // Using the cgroup does allow more precise cleanup of processes. BasicProcessCgroup bool + // NoPivotRoot disables using pivot_root for isolation, useful when the root + // partition is on a ramdisk which does not support pivot_root, + // see man 2 pivot_root + NoPivotRoot bool + // Mounts are the host paths to be be made available inside rootfs Mounts []*drivers.MountConfig diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go index 7a9c55b8a..77f133a81 100644 --- a/drivers/shared/executor/executor_linux.go +++ b/drivers/shared/executor/executor_linux.go @@ -573,6 +573,9 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error { // set the new root directory for the container cfg.Rootfs = command.TaskDir + // disable pivot_root if set in the driver's configuration + cfg.NoPivotRoot = command.NoPivotRoot + // launch with mount namespace cfg.Namespaces = lconfigs.Namespaces{ {Type: lconfigs.NEWNS}, diff --git a/drivers/shared/executor/proto/executor.pb.go b/drivers/shared/executor/proto/executor.pb.go index d9a1f15a3..544a36800 100644 --- a/drivers/shared/executor/proto/executor.pb.go +++ b/drivers/shared/executor/proto/executor.pb.go @@ -39,6 +39,7 @@ type LaunchRequest struct { Mounts []*proto1.Mount `protobuf:"bytes,11,rep,name=mounts,proto3" json:"mounts,omitempty"` Devices []*proto1.Device `protobuf:"bytes,12,rep,name=devices,proto3" json:"devices,omitempty"` NetworkIsolation *proto1.NetworkIsolationSpec `protobuf:"bytes,13,opt,name=network_isolation,json=networkIsolation,proto3" json:"network_isolation,omitempty"` + NoPivotRoot bool `protobuf:"varint,14,opt,name=no_pivot_root,json=noPivotRoot,proto3" json:"no_pivot_root,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -48,7 +49,7 @@ func (m *LaunchRequest) Reset() { *m = LaunchRequest{} } func (m *LaunchRequest) String() string { return proto.CompactTextString(m) } func (*LaunchRequest) ProtoMessage() {} func (*LaunchRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{0} + return fileDescriptor_executor_cd718424b22c7ed3, []int{0} } func (m *LaunchRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_LaunchRequest.Unmarshal(m, b) @@ -159,6 +160,13 @@ func (m *LaunchRequest) GetNetworkIsolation() *proto1.NetworkIsolationSpec { return nil } +func (m *LaunchRequest) GetNoPivotRoot() bool { + if m != nil { + return m.NoPivotRoot + } + return false +} + type LaunchResponse struct { Process *ProcessState `protobuf:"bytes,1,opt,name=process,proto3" json:"process,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -170,7 +178,7 @@ func (m *LaunchResponse) Reset() { *m = LaunchResponse{} } func (m *LaunchResponse) String() string { return proto.CompactTextString(m) } func (*LaunchResponse) ProtoMessage() {} func (*LaunchResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{1} + return fileDescriptor_executor_cd718424b22c7ed3, []int{1} } func (m *LaunchResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_LaunchResponse.Unmarshal(m, b) @@ -207,7 +215,7 @@ func (m *WaitRequest) Reset() { *m = WaitRequest{} } func (m *WaitRequest) String() string { return proto.CompactTextString(m) } func (*WaitRequest) ProtoMessage() {} func (*WaitRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{2} + return fileDescriptor_executor_cd718424b22c7ed3, []int{2} } func (m *WaitRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_WaitRequest.Unmarshal(m, b) @@ -238,7 +246,7 @@ func (m *WaitResponse) Reset() { *m = WaitResponse{} } func (m *WaitResponse) String() string { return proto.CompactTextString(m) } func (*WaitResponse) ProtoMessage() {} func (*WaitResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{3} + return fileDescriptor_executor_cd718424b22c7ed3, []int{3} } func (m *WaitResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_WaitResponse.Unmarshal(m, b) @@ -277,7 +285,7 @@ func (m *ShutdownRequest) Reset() { *m = ShutdownRequest{} } func (m *ShutdownRequest) String() string { return proto.CompactTextString(m) } func (*ShutdownRequest) ProtoMessage() {} func (*ShutdownRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{4} + return fileDescriptor_executor_cd718424b22c7ed3, []int{4} } func (m *ShutdownRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ShutdownRequest.Unmarshal(m, b) @@ -321,7 +329,7 @@ func (m *ShutdownResponse) Reset() { *m = ShutdownResponse{} } func (m *ShutdownResponse) String() string { return proto.CompactTextString(m) } func (*ShutdownResponse) ProtoMessage() {} func (*ShutdownResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{5} + return fileDescriptor_executor_cd718424b22c7ed3, []int{5} } func (m *ShutdownResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ShutdownResponse.Unmarshal(m, b) @@ -352,7 +360,7 @@ func (m *UpdateResourcesRequest) Reset() { *m = UpdateResourcesRequest{} func (m *UpdateResourcesRequest) String() string { return proto.CompactTextString(m) } func (*UpdateResourcesRequest) ProtoMessage() {} func (*UpdateResourcesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{6} + return fileDescriptor_executor_cd718424b22c7ed3, []int{6} } func (m *UpdateResourcesRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_UpdateResourcesRequest.Unmarshal(m, b) @@ -389,7 +397,7 @@ func (m *UpdateResourcesResponse) Reset() { *m = UpdateResourcesResponse func (m *UpdateResourcesResponse) String() string { return proto.CompactTextString(m) } func (*UpdateResourcesResponse) ProtoMessage() {} func (*UpdateResourcesResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{7} + return fileDescriptor_executor_cd718424b22c7ed3, []int{7} } func (m *UpdateResourcesResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_UpdateResourcesResponse.Unmarshal(m, b) @@ -419,7 +427,7 @@ func (m *VersionRequest) Reset() { *m = VersionRequest{} } func (m *VersionRequest) String() string { return proto.CompactTextString(m) } func (*VersionRequest) ProtoMessage() {} func (*VersionRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{8} + return fileDescriptor_executor_cd718424b22c7ed3, []int{8} } func (m *VersionRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_VersionRequest.Unmarshal(m, b) @@ -450,7 +458,7 @@ func (m *VersionResponse) Reset() { *m = VersionResponse{} } func (m *VersionResponse) String() string { return proto.CompactTextString(m) } func (*VersionResponse) ProtoMessage() {} func (*VersionResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{9} + return fileDescriptor_executor_cd718424b22c7ed3, []int{9} } func (m *VersionResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_VersionResponse.Unmarshal(m, b) @@ -488,7 +496,7 @@ func (m *StatsRequest) Reset() { *m = StatsRequest{} } func (m *StatsRequest) String() string { return proto.CompactTextString(m) } func (*StatsRequest) ProtoMessage() {} func (*StatsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{10} + return fileDescriptor_executor_cd718424b22c7ed3, []int{10} } func (m *StatsRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StatsRequest.Unmarshal(m, b) @@ -526,7 +534,7 @@ func (m *StatsResponse) Reset() { *m = StatsResponse{} } func (m *StatsResponse) String() string { return proto.CompactTextString(m) } func (*StatsResponse) ProtoMessage() {} func (*StatsResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{11} + return fileDescriptor_executor_cd718424b22c7ed3, []int{11} } func (m *StatsResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StatsResponse.Unmarshal(m, b) @@ -564,7 +572,7 @@ func (m *SignalRequest) Reset() { *m = SignalRequest{} } func (m *SignalRequest) String() string { return proto.CompactTextString(m) } func (*SignalRequest) ProtoMessage() {} func (*SignalRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{12} + return fileDescriptor_executor_cd718424b22c7ed3, []int{12} } func (m *SignalRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SignalRequest.Unmarshal(m, b) @@ -601,7 +609,7 @@ func (m *SignalResponse) Reset() { *m = SignalResponse{} } func (m *SignalResponse) String() string { return proto.CompactTextString(m) } func (*SignalResponse) ProtoMessage() {} func (*SignalResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{13} + return fileDescriptor_executor_cd718424b22c7ed3, []int{13} } func (m *SignalResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SignalResponse.Unmarshal(m, b) @@ -634,7 +642,7 @@ func (m *ExecRequest) Reset() { *m = ExecRequest{} } func (m *ExecRequest) String() string { return proto.CompactTextString(m) } func (*ExecRequest) ProtoMessage() {} func (*ExecRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{14} + return fileDescriptor_executor_cd718424b22c7ed3, []int{14} } func (m *ExecRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ExecRequest.Unmarshal(m, b) @@ -687,7 +695,7 @@ func (m *ExecResponse) Reset() { *m = ExecResponse{} } func (m *ExecResponse) String() string { return proto.CompactTextString(m) } func (*ExecResponse) ProtoMessage() {} func (*ExecResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{15} + return fileDescriptor_executor_cd718424b22c7ed3, []int{15} } func (m *ExecResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ExecResponse.Unmarshal(m, b) @@ -735,7 +743,7 @@ func (m *ProcessState) Reset() { *m = ProcessState{} } func (m *ProcessState) String() string { return proto.CompactTextString(m) } func (*ProcessState) ProtoMessage() {} func (*ProcessState) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{16} + return fileDescriptor_executor_cd718424b22c7ed3, []int{16} } func (m *ProcessState) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ProcessState.Unmarshal(m, b) @@ -1200,69 +1208,71 @@ var _Executor_serviceDesc = grpc.ServiceDesc{ } func init() { - proto.RegisterFile("drivers/shared/executor/proto/executor.proto", fileDescriptor_executor_43dc81e71868eb7b) + proto.RegisterFile("drivers/shared/executor/proto/executor.proto", fileDescriptor_executor_cd718424b22c7ed3) } -var fileDescriptor_executor_43dc81e71868eb7b = []byte{ - // 955 bytes of a gzipped FileDescriptorProto +var fileDescriptor_executor_cd718424b22c7ed3 = []byte{ + // 977 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x5b, 0x6f, 0x1b, 0x45, 0x14, 0xee, 0xc6, 0xf1, 0xed, 0xd8, 0x4e, 0xcc, 0x08, 0x85, 0xad, 0x79, 0xa8, 0xd9, 0x07, 0x6a, 0x41, 0x59, 0x47, 0xe9, 0x0d, 0x09, 0x41, 0x11, 0x49, 0x41, 0x48, 0x21, 0x8a, 0xd6, 0x85, 0x4a, - 0x3c, 0x60, 0x26, 0xbb, 0xc3, 0xee, 0x28, 0xf6, 0xce, 0x32, 0x33, 0xeb, 0x06, 0x09, 0x89, 0x27, - 0xfe, 0x01, 0x48, 0xfc, 0x38, 0x7e, 0x0c, 0x9a, 0xdb, 0xc6, 0x4e, 0x4b, 0xb5, 0x2e, 0xe2, 0xc9, - 0x33, 0x67, 0xcf, 0xf7, 0x9d, 0xcb, 0x9c, 0xf3, 0x19, 0xee, 0x25, 0x9c, 0xae, 0x08, 0x17, 0x53, - 0x91, 0x61, 0x4e, 0x92, 0x29, 0xb9, 0x22, 0x71, 0x29, 0x19, 0x9f, 0x16, 0x9c, 0x49, 0x56, 0x5d, - 0x43, 0x7d, 0x45, 0xef, 0x67, 0x58, 0x64, 0x34, 0x66, 0xbc, 0x08, 0x73, 0xb6, 0xc4, 0x49, 0x58, - 0x2c, 0xca, 0x94, 0xe6, 0x22, 0xdc, 0xf4, 0x1b, 0xdd, 0x49, 0x19, 0x4b, 0x17, 0xc4, 0x90, 0x5c, - 0x94, 0x3f, 0x4d, 0x25, 0x5d, 0x12, 0x21, 0xf1, 0xb2, 0xb0, 0x0e, 0x9f, 0xa6, 0x54, 0x66, 0xe5, - 0x45, 0x18, 0xb3, 0xe5, 0xb4, 0xe2, 0x9c, 0x6a, 0xce, 0xa9, 0xe5, 0x9c, 0xba, 0xcc, 0x4c, 0x26, - 0xe6, 0x66, 0xe0, 0xc1, 0xdf, 0xbb, 0x30, 0x38, 0xc5, 0x65, 0x1e, 0x67, 0x11, 0xf9, 0xb9, 0x24, - 0x42, 0xa2, 0x21, 0x34, 0xe2, 0x65, 0xe2, 0x7b, 0x63, 0x6f, 0xd2, 0x8d, 0xd4, 0x11, 0x21, 0xd8, - 0xc5, 0x3c, 0x15, 0xfe, 0xce, 0xb8, 0x31, 0xe9, 0x46, 0xfa, 0x8c, 0xce, 0xa0, 0xcb, 0x89, 0x60, - 0x25, 0x8f, 0x89, 0xf0, 0x1b, 0x63, 0x6f, 0xd2, 0x3b, 0x3a, 0x0c, 0xff, 0xad, 0x26, 0x1b, 0xdf, - 0x84, 0x0c, 0x23, 0x87, 0x8b, 0xae, 0x29, 0xd0, 0x1d, 0xe8, 0x09, 0x99, 0xb0, 0x52, 0xce, 0x0b, - 0x2c, 0x33, 0x7f, 0x57, 0x47, 0x07, 0x63, 0x3a, 0xc7, 0x32, 0xb3, 0x0e, 0x84, 0x73, 0xe3, 0xd0, - 0xac, 0x1c, 0x08, 0xe7, 0xda, 0x61, 0x08, 0x0d, 0x92, 0xaf, 0xfc, 0x96, 0x4e, 0x52, 0x1d, 0x55, - 0xde, 0xa5, 0x20, 0xdc, 0x6f, 0x6b, 0x5f, 0x7d, 0x46, 0xb7, 0xa1, 0x23, 0xb1, 0xb8, 0x9c, 0x27, - 0x94, 0xfb, 0x1d, 0x6d, 0x6f, 0xab, 0xfb, 0x09, 0xe5, 0xe8, 0x2e, 0xec, 0xbb, 0x7c, 0xe6, 0x0b, - 0xba, 0xa4, 0x52, 0xf8, 0xdd, 0xb1, 0x37, 0xe9, 0x44, 0x7b, 0xce, 0x7c, 0xaa, 0xad, 0xe8, 0x10, - 0xde, 0xbe, 0xc0, 0x82, 0xc6, 0xf3, 0x82, 0xb3, 0x98, 0x08, 0x31, 0x8f, 0x53, 0xce, 0xca, 0xc2, - 0x07, 0xed, 0x8d, 0xf4, 0xb7, 0x73, 0xf3, 0xe9, 0x58, 0x7f, 0x41, 0x27, 0xd0, 0x5a, 0xb2, 0x32, - 0x97, 0xc2, 0xef, 0x8d, 0x1b, 0x93, 0xde, 0xd1, 0xbd, 0x9a, 0xad, 0xfa, 0x46, 0x81, 0x22, 0x8b, - 0x45, 0x5f, 0x41, 0x3b, 0x21, 0x2b, 0xaa, 0x3a, 0xde, 0xd7, 0x34, 0x1f, 0xd5, 0xa4, 0x39, 0xd1, - 0xa8, 0xc8, 0xa1, 0x51, 0x06, 0x6f, 0xe5, 0x44, 0xbe, 0x60, 0xfc, 0x72, 0x4e, 0x05, 0x5b, 0x60, - 0x49, 0x59, 0xee, 0x0f, 0xf4, 0x23, 0x7e, 0x52, 0x93, 0xf2, 0xcc, 0xe0, 0xbf, 0x76, 0xf0, 0x59, - 0x41, 0xe2, 0x68, 0x98, 0xdf, 0xb0, 0x06, 0x3f, 0xc2, 0x9e, 0x9b, 0x2e, 0x51, 0xb0, 0x5c, 0x10, - 0x74, 0x06, 0x6d, 0xdb, 0x36, 0x3d, 0x62, 0xbd, 0xa3, 0x07, 0x61, 0xbd, 0x55, 0x08, 0x6d, 0x4b, - 0x67, 0x12, 0x4b, 0x12, 0x39, 0x92, 0x60, 0x00, 0xbd, 0xe7, 0x98, 0x4a, 0x3b, 0xbd, 0xc1, 0x0f, - 0xd0, 0x37, 0xd7, 0xff, 0x29, 0xdc, 0x29, 0xec, 0xcf, 0xb2, 0x52, 0x26, 0xec, 0x45, 0xee, 0x16, - 0xe6, 0x00, 0x5a, 0x82, 0xa6, 0x39, 0x5e, 0xd8, 0x9d, 0xb1, 0x37, 0xf4, 0x1e, 0xf4, 0x53, 0x8e, - 0x63, 0x32, 0x2f, 0x08, 0xa7, 0x2c, 0xf1, 0x77, 0xc6, 0xde, 0xa4, 0x11, 0xf5, 0xb4, 0xed, 0x5c, - 0x9b, 0x02, 0x04, 0xc3, 0x6b, 0x36, 0x93, 0x71, 0x90, 0xc1, 0xc1, 0xb7, 0x45, 0xa2, 0x82, 0x56, - 0x7b, 0x62, 0x03, 0x6d, 0xec, 0x9c, 0xf7, 0x9f, 0x77, 0x2e, 0xb8, 0x0d, 0xef, 0xbc, 0x14, 0xc9, - 0x26, 0x31, 0x84, 0xbd, 0xef, 0x08, 0x17, 0x94, 0xb9, 0x2a, 0x83, 0x0f, 0x61, 0xbf, 0xb2, 0xd8, - 0xde, 0xfa, 0xd0, 0x5e, 0x19, 0x93, 0xad, 0xdc, 0x5d, 0x83, 0x0f, 0xa0, 0xaf, 0xfa, 0x56, 0x65, - 0x3e, 0x82, 0x0e, 0xcd, 0x25, 0xe1, 0x2b, 0xdb, 0xa4, 0x46, 0x54, 0xdd, 0x83, 0xe7, 0x30, 0xb0, - 0xbe, 0x96, 0xf6, 0x4b, 0x68, 0x0a, 0x65, 0xd8, 0xb2, 0xc4, 0x67, 0x58, 0x5c, 0x1a, 0x22, 0x03, - 0x0f, 0xee, 0xc2, 0x60, 0xa6, 0x5f, 0xe2, 0xd5, 0x0f, 0xd5, 0x74, 0x0f, 0xa5, 0x8a, 0x75, 0x8e, - 0xb6, 0xfc, 0x4b, 0xe8, 0x3d, 0xbd, 0x22, 0xb1, 0x03, 0x3e, 0x82, 0x4e, 0x42, 0x70, 0xb2, 0xa0, - 0x39, 0xb1, 0x49, 0x8d, 0x42, 0xa3, 0xcb, 0xa1, 0xd3, 0xe5, 0xf0, 0x99, 0xd3, 0xe5, 0xa8, 0xf2, - 0x75, 0x52, 0xba, 0xf3, 0xb2, 0x94, 0x36, 0xae, 0xa5, 0x34, 0x38, 0x86, 0xbe, 0x09, 0x66, 0xeb, - 0x3f, 0x80, 0x16, 0x2b, 0x65, 0x51, 0x4a, 0x1d, 0xab, 0x1f, 0xd9, 0x1b, 0x7a, 0x17, 0xba, 0xe4, - 0x8a, 0xca, 0x79, 0xcc, 0x12, 0xa2, 0x39, 0x9b, 0x51, 0x47, 0x19, 0x8e, 0x59, 0x42, 0x82, 0xdf, - 0x3d, 0xe8, 0xaf, 0x4f, 0xac, 0x8a, 0x5d, 0xd0, 0xc4, 0x56, 0xaa, 0x8e, 0xaf, 0xc5, 0xaf, 0xf5, - 0xa6, 0xb1, 0xde, 0x1b, 0x14, 0xc2, 0xae, 0xfa, 0xc7, 0xd1, 0x82, 0xfc, 0xfa, 0xb2, 0xb5, 0xdf, - 0xd1, 0x9f, 0x5d, 0xe8, 0x3c, 0xb5, 0x8b, 0x84, 0x7e, 0x81, 0x96, 0xd9, 0x7e, 0xf4, 0xb0, 0xee, - 0xd6, 0x6d, 0xfc, 0x17, 0x8d, 0x1e, 0x6d, 0x0b, 0xb3, 0xef, 0x77, 0x0b, 0x09, 0xd8, 0x55, 0x3a, - 0x80, 0xee, 0xd7, 0x65, 0x58, 0x13, 0x91, 0xd1, 0x83, 0xed, 0x40, 0x55, 0xd0, 0xdf, 0xa0, 0xe3, - 0xd6, 0x19, 0x3d, 0xae, 0xcb, 0x71, 0x43, 0x4e, 0x46, 0x1f, 0x6f, 0x0f, 0xac, 0x12, 0xf8, 0xc3, - 0x83, 0xfd, 0x1b, 0x2b, 0x8d, 0x3e, 0xab, 0xcb, 0xf7, 0x6a, 0xd5, 0x19, 0x3d, 0x79, 0x63, 0x7c, - 0x95, 0xd6, 0xaf, 0xd0, 0xb6, 0xda, 0x81, 0x6a, 0xbf, 0xe8, 0xa6, 0xfc, 0x8c, 0x1e, 0x6f, 0x8d, - 0xab, 0xa2, 0x5f, 0x41, 0x53, 0xeb, 0x02, 0xaa, 0xfd, 0xac, 0xeb, 0xda, 0x35, 0x7a, 0xb8, 0x25, - 0xca, 0xc5, 0x3d, 0xf4, 0xd4, 0xfc, 0x1b, 0x61, 0xa9, 0x3f, 0xff, 0x1b, 0x8a, 0x55, 0x7f, 0xfe, - 0x6f, 0xe8, 0x97, 0x9e, 0x7f, 0xb5, 0x86, 0xf5, 0xe7, 0x7f, 0x4d, 0xef, 0xea, 0xcf, 0xff, 0xba, - 0x6e, 0x05, 0xb7, 0xd0, 0x5f, 0x1e, 0x0c, 0x94, 0x69, 0x26, 0x39, 0xc1, 0x4b, 0x9a, 0xa7, 0xe8, - 0x49, 0x4d, 0xf1, 0x56, 0x28, 0x23, 0xe0, 0x16, 0xe9, 0x52, 0xf9, 0xfc, 0xcd, 0x09, 0x5c, 0x5a, - 0x13, 0xef, 0xd0, 0xfb, 0xa2, 0xfd, 0x7d, 0xd3, 0x68, 0x56, 0x4b, 0xff, 0xdc, 0xff, 0x27, 0x00, - 0x00, 0xff, 0xff, 0xad, 0xfe, 0x69, 0xb2, 0xaf, 0x0b, 0x00, 0x00, + 0x3c, 0xb0, 0x4c, 0x76, 0x07, 0xef, 0x28, 0xf6, 0xce, 0x32, 0x33, 0xeb, 0x06, 0x09, 0x09, 0x5e, + 0xf8, 0x07, 0x20, 0xf1, 0x73, 0xd1, 0xdc, 0x36, 0x76, 0x5a, 0xaa, 0x75, 0x11, 0x4f, 0x9e, 0x39, + 0x7b, 0xbe, 0xef, 0x5c, 0xe6, 0x9c, 0xcf, 0x70, 0x2f, 0xe5, 0x74, 0x45, 0xb8, 0x98, 0x8a, 0x0c, + 0x73, 0x92, 0x4e, 0xc9, 0x15, 0x49, 0x4a, 0xc9, 0xf8, 0xb4, 0xe0, 0x4c, 0xb2, 0xea, 0x1a, 0xea, + 0x2b, 0x7a, 0x3f, 0xc3, 0x22, 0xa3, 0x09, 0xe3, 0x45, 0x98, 0xb3, 0x25, 0x4e, 0xc3, 0x62, 0x51, + 0xce, 0x69, 0x2e, 0xc2, 0x4d, 0xbf, 0xd1, 0x9d, 0x39, 0x63, 0xf3, 0x05, 0x31, 0x24, 0x17, 0xe5, + 0x4f, 0x53, 0x49, 0x97, 0x44, 0x48, 0xbc, 0x2c, 0xac, 0xc3, 0xa7, 0x73, 0x2a, 0xb3, 0xf2, 0x22, + 0x4c, 0xd8, 0x72, 0x5a, 0x71, 0x4e, 0x35, 0xe7, 0xd4, 0x72, 0x4e, 0x5d, 0x66, 0x26, 0x13, 0x73, + 0x33, 0xf0, 0xe0, 0xf7, 0x26, 0x0c, 0x4e, 0x71, 0x99, 0x27, 0x59, 0x44, 0x7e, 0x2e, 0x89, 0x90, + 0x68, 0x08, 0x8d, 0x64, 0x99, 0xfa, 0xde, 0xd8, 0x9b, 0x74, 0x23, 0x75, 0x44, 0x08, 0x76, 0x31, + 0x9f, 0x0b, 0x7f, 0x67, 0xdc, 0x98, 0x74, 0x23, 0x7d, 0x46, 0x67, 0xd0, 0xe5, 0x44, 0xb0, 0x92, + 0x27, 0x44, 0xf8, 0x8d, 0xb1, 0x37, 0xe9, 0x1d, 0x1d, 0x86, 0xff, 0x56, 0x93, 0x8d, 0x6f, 0x42, + 0x86, 0x91, 0xc3, 0x45, 0xd7, 0x14, 0xe8, 0x0e, 0xf4, 0x84, 0x4c, 0x59, 0x29, 0xe3, 0x02, 0xcb, + 0xcc, 0xdf, 0xd5, 0xd1, 0xc1, 0x98, 0xce, 0xb1, 0xcc, 0xac, 0x03, 0xe1, 0xdc, 0x38, 0x34, 0x2b, + 0x07, 0xc2, 0xb9, 0x76, 0x18, 0x42, 0x83, 0xe4, 0x2b, 0xbf, 0xa5, 0x93, 0x54, 0x47, 0x95, 0x77, + 0x29, 0x08, 0xf7, 0xdb, 0xda, 0x57, 0x9f, 0xd1, 0x6d, 0xe8, 0x48, 0x2c, 0x2e, 0xe3, 0x94, 0x72, + 0xbf, 0xa3, 0xed, 0x6d, 0x75, 0x3f, 0xa1, 0x1c, 0xdd, 0x85, 0x7d, 0x97, 0x4f, 0xbc, 0xa0, 0x4b, + 0x2a, 0x85, 0xdf, 0x1d, 0x7b, 0x93, 0x4e, 0xb4, 0xe7, 0xcc, 0xa7, 0xda, 0x8a, 0x0e, 0xe1, 0xed, + 0x0b, 0x2c, 0x68, 0x12, 0x17, 0x9c, 0x25, 0x44, 0x88, 0x38, 0x99, 0x73, 0x56, 0x16, 0x3e, 0x68, + 0x6f, 0xa4, 0xbf, 0x9d, 0x9b, 0x4f, 0xc7, 0xfa, 0x0b, 0x3a, 0x81, 0xd6, 0x92, 0x95, 0xb9, 0x14, + 0x7e, 0x6f, 0xdc, 0x98, 0xf4, 0x8e, 0xee, 0xd5, 0x6c, 0xd5, 0x37, 0x0a, 0x14, 0x59, 0x2c, 0xfa, + 0x0a, 0xda, 0x29, 0x59, 0x51, 0xd5, 0xf1, 0xbe, 0xa6, 0xf9, 0xa8, 0x26, 0xcd, 0x89, 0x46, 0x45, + 0x0e, 0x8d, 0x32, 0x78, 0x2b, 0x27, 0xf2, 0x05, 0xe3, 0x97, 0x31, 0x15, 0x6c, 0x81, 0x25, 0x65, + 0xb9, 0x3f, 0xd0, 0x8f, 0xf8, 0x49, 0x4d, 0xca, 0x33, 0x83, 0xff, 0xda, 0xc1, 0x67, 0x05, 0x49, + 0xa2, 0x61, 0x7e, 0xc3, 0x8a, 0x02, 0x18, 0xe4, 0x2c, 0x2e, 0xe8, 0x8a, 0xc9, 0x98, 0x33, 0x26, + 0xfd, 0x3d, 0xdd, 0xa3, 0x5e, 0xce, 0xce, 0x95, 0x2d, 0x62, 0x4c, 0x06, 0x3f, 0xc2, 0x9e, 0x9b, + 0x40, 0x51, 0xb0, 0x5c, 0x10, 0x74, 0x06, 0x6d, 0xdb, 0x5a, 0x3d, 0x86, 0xbd, 0xa3, 0x07, 0x61, + 0xbd, 0x75, 0x09, 0x6d, 0xdb, 0x67, 0x12, 0x4b, 0x12, 0x39, 0x92, 0x60, 0x00, 0xbd, 0xe7, 0x98, + 0x4a, 0x3b, 0xe1, 0xc1, 0x0f, 0xd0, 0x37, 0xd7, 0xff, 0x29, 0xdc, 0x29, 0xec, 0xcf, 0xb2, 0x52, + 0xa6, 0xec, 0x45, 0xee, 0x96, 0xea, 0x00, 0x5a, 0x82, 0xce, 0x73, 0xbc, 0xb0, 0x7b, 0x65, 0x6f, + 0xe8, 0x3d, 0xe8, 0xcf, 0x39, 0x4e, 0x48, 0x5c, 0x10, 0x4e, 0x59, 0xea, 0xef, 0x8c, 0xbd, 0x49, + 0x23, 0xea, 0x69, 0xdb, 0xb9, 0x36, 0x05, 0x08, 0x86, 0xd7, 0x6c, 0x26, 0xe3, 0x20, 0x83, 0x83, + 0x6f, 0x8b, 0x54, 0x05, 0xad, 0x76, 0xc9, 0x06, 0xda, 0xd8, 0x4b, 0xef, 0x3f, 0xef, 0x65, 0x70, + 0x1b, 0xde, 0x79, 0x29, 0x92, 0x4d, 0x62, 0x08, 0x7b, 0xdf, 0x11, 0x2e, 0x28, 0x73, 0x55, 0x06, + 0x1f, 0xc2, 0x7e, 0x65, 0xb1, 0xbd, 0xf5, 0xa1, 0xbd, 0x32, 0x26, 0x5b, 0xb9, 0xbb, 0x06, 0x1f, + 0x40, 0x5f, 0xf5, 0xad, 0xca, 0x7c, 0x04, 0x1d, 0x9a, 0x4b, 0xc2, 0x57, 0xb6, 0x49, 0x8d, 0xa8, + 0xba, 0x07, 0xcf, 0x61, 0x60, 0x7d, 0x2d, 0xed, 0x97, 0xd0, 0x14, 0xca, 0xb0, 0x65, 0x89, 0xcf, + 0xb0, 0xb8, 0x34, 0x44, 0x06, 0x1e, 0xdc, 0x85, 0xc1, 0x4c, 0xbf, 0xc4, 0xab, 0x1f, 0xaa, 0xe9, + 0x1e, 0x4a, 0x15, 0xeb, 0x1c, 0x6d, 0xf9, 0x97, 0xd0, 0x7b, 0x7a, 0x45, 0x12, 0x07, 0x7c, 0x04, + 0x9d, 0x94, 0xe0, 0x74, 0x41, 0x73, 0x62, 0x93, 0x1a, 0x85, 0x46, 0xbb, 0x43, 0xa7, 0xdd, 0xe1, + 0x33, 0xa7, 0xdd, 0x51, 0xe5, 0xeb, 0xe4, 0x76, 0xe7, 0x65, 0xb9, 0x6d, 0x5c, 0xcb, 0x6d, 0x70, + 0x0c, 0x7d, 0x13, 0xcc, 0xd6, 0x7f, 0x00, 0x2d, 0x56, 0xca, 0xa2, 0x94, 0x3a, 0x56, 0x3f, 0xb2, + 0x37, 0xf4, 0x2e, 0x74, 0xc9, 0x15, 0x95, 0x71, 0xc2, 0x52, 0xa2, 0x39, 0x9b, 0x51, 0x47, 0x19, + 0x8e, 0x59, 0x4a, 0x82, 0x3f, 0x3c, 0xe8, 0xaf, 0x4f, 0xac, 0x8a, 0x5d, 0xd0, 0xd4, 0x56, 0xaa, + 0x8e, 0xaf, 0xc5, 0xaf, 0xf5, 0xa6, 0xb1, 0xde, 0x1b, 0x14, 0xc2, 0xae, 0xfa, 0x57, 0xd2, 0xa2, + 0xfd, 0xfa, 0xb2, 0xb5, 0xdf, 0xd1, 0x5f, 0x5d, 0xe8, 0x3c, 0xb5, 0x8b, 0x84, 0x7e, 0x81, 0x96, + 0xd9, 0x7e, 0xf4, 0xb0, 0xee, 0xd6, 0x6d, 0xfc, 0x5f, 0x8d, 0x1e, 0x6d, 0x0b, 0xb3, 0xef, 0x77, + 0x0b, 0x09, 0xd8, 0x55, 0x3a, 0x80, 0xee, 0xd7, 0x65, 0x58, 0x13, 0x91, 0xd1, 0x83, 0xed, 0x40, + 0x55, 0xd0, 0xdf, 0xa0, 0xe3, 0xd6, 0x19, 0x3d, 0xae, 0xcb, 0x71, 0x43, 0x4e, 0x46, 0x1f, 0x6f, + 0x0f, 0xac, 0x12, 0xf8, 0xd3, 0x83, 0xfd, 0x1b, 0x2b, 0x8d, 0x3e, 0xab, 0xcb, 0xf7, 0x6a, 0xd5, + 0x19, 0x3d, 0x79, 0x63, 0x7c, 0x95, 0xd6, 0xaf, 0xd0, 0xb6, 0xda, 0x81, 0x6a, 0xbf, 0xe8, 0xa6, + 0xfc, 0x8c, 0x1e, 0x6f, 0x8d, 0xab, 0xa2, 0x5f, 0x41, 0x53, 0xeb, 0x02, 0xaa, 0xfd, 0xac, 0xeb, + 0xda, 0x35, 0x7a, 0xb8, 0x25, 0xca, 0xc5, 0x3d, 0xf4, 0xd4, 0xfc, 0x1b, 0x61, 0xa9, 0x3f, 0xff, + 0x1b, 0x8a, 0x55, 0x7f, 0xfe, 0x6f, 0xe8, 0x97, 0x9e, 0x7f, 0xb5, 0x86, 0xf5, 0xe7, 0x7f, 0x4d, + 0xef, 0xea, 0xcf, 0xff, 0xba, 0x6e, 0x05, 0xb7, 0xd0, 0xdf, 0x1e, 0x0c, 0x94, 0x69, 0x26, 0x39, + 0xc1, 0x4b, 0x9a, 0xcf, 0xd1, 0x93, 0x9a, 0xe2, 0xad, 0x50, 0x46, 0xc0, 0x2d, 0xd2, 0xa5, 0xf2, + 0xf9, 0x9b, 0x13, 0xb8, 0xb4, 0x26, 0xde, 0xa1, 0xf7, 0x45, 0xfb, 0xfb, 0xa6, 0xd1, 0xac, 0x96, + 0xfe, 0xb9, 0xff, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xe4, 0xda, 0xad, 0xd5, 0xd3, 0x0b, 0x00, + 0x00, } diff --git a/drivers/shared/executor/proto/executor.proto b/drivers/shared/executor/proto/executor.proto index 06bc1ff91..3a1f79a46 100644 --- a/drivers/shared/executor/proto/executor.proto +++ b/drivers/shared/executor/proto/executor.proto @@ -31,6 +31,7 @@ message LaunchRequest { repeated hashicorp.nomad.plugins.drivers.proto.Mount mounts = 11; repeated hashicorp.nomad.plugins.drivers.proto.Device devices = 12; hashicorp.nomad.plugins.drivers.proto.NetworkIsolationSpec network_isolation = 13; + bool no_pivot_root = 14; } message LaunchResponse { diff --git a/drivers/shared/executor/server.go b/drivers/shared/executor/server.go index 2b7f8e0e7..eb1edc838 100644 --- a/drivers/shared/executor/server.go +++ b/drivers/shared/executor/server.go @@ -31,6 +31,7 @@ func (s *grpcExecutorServer) Launch(ctx context.Context, req *proto.LaunchReques TaskDir: req.TaskDir, ResourceLimits: req.ResourceLimits, BasicProcessCgroup: req.BasicProcessCgroup, + NoPivotRoot: req.NoPivotRoot, Mounts: drivers.MountsFromProto(req.Mounts), Devices: drivers.DevicesFromProto(req.Devices), NetworkIsolation: drivers.NetworkIsolationSpecFromProto(req.NetworkIsolation), diff --git a/website/pages/docs/drivers/exec.mdx b/website/pages/docs/drivers/exec.mdx index d33ca71e9..cb2e6f7a6 100644 --- a/website/pages/docs/drivers/exec.mdx +++ b/website/pages/docs/drivers/exec.mdx @@ -93,6 +93,12 @@ If you are receiving the error: and using the exec driver, check to ensure that you are running Nomad as root. This also applies for running Nomad in -dev mode. +## Plugin Options + +* `no_pivot_root` - Defaults to `false`. When `true`, the driver uses `chroot` + for file system isolation without `pivot_root`. This is useful for systems + where the root is on a ramdisk. + ## Client Attributes The `exec` driver will set the following client attributes: