diff --git a/.changelog/16375.txt b/.changelog/16375.txt new file mode 100644 index 000000000..be9d3a5c2 --- /dev/null +++ b/.changelog/16375.txt @@ -0,0 +1,3 @@ +```release-note:bug +client: Fixed a bug where artifact downloading failed on hardened nodes +``` diff --git a/client/allocrunner/taskrunner/getter/util_linux.go b/client/allocrunner/taskrunner/getter/util_linux.go index 7e854b773..092b8b59d 100644 --- a/client/allocrunner/taskrunner/getter/util_linux.go +++ b/client/allocrunner/taskrunner/getter/util_linux.go @@ -7,7 +7,6 @@ import ( "path/filepath" "syscall" - "github.com/hashicorp/nomad/helper/users" "github.com/shoenig/go-landlock" ) @@ -37,16 +36,10 @@ func attributes() *syscall.SysProcAttr { } // credentials returns the UID and GID of the user the child process -// will run as. On Linux systems this will be the nobody user if Nomad -// is being run as the root user, or the user Nomad is being run as -// otherwise. +// will run as - for now this is always the same user the Nomad agent is +// running as. func credentials() (uint32, uint32) { - switch userUID { - case 0: - return users.NobodyIDs() - default: - return userUID, userGID - } + return userUID, userGID } // defaultEnvironment is the default minimal environment variables for Linux. diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx index a19c5a5e1..36950cf91 100644 --- a/website/content/docs/upgrade/upgrade-specific.mdx +++ b/website/content/docs/upgrade/upgrade-specific.mdx @@ -13,6 +13,22 @@ upgrade. However, specific versions of Nomad may have more details provided for their upgrades as a result of new features or changed behavior. This page is used to document those details separately from the standard upgrade flow. +## Nomad 1.5.1 + +#### Artifact Download Regression Fix + +Nomad 1.5.1 reverts a behavior of 1.5.0 where artifact downloads were executed +as the `nobody` user on compatible Linux systems. This was done optimistically +as defense against compromised artifact endpoints attempting to exploit the +Nomad Client or tools it uses to perform downloads such as git or mercurial. +Unfortunately running the child process as any user other than root is not +compatible with the advice given in Nomad's [security hardening guide][hard_guide] +which calls for a specific directory tree structure making such operation impossible. + +Other changes to artifact downloading remain - they are executed as a child +process of the Nomad agent, and on modern Linux systems make use of the Kernel +landlock feature to restrict filesystem access from that process. + ## Nomad 1.5.0 #### Pause Container Reconciliation Regression @@ -1691,3 +1707,4 @@ deleted and then Nomad 0.3.0 can be launched. [decompression_size_limit]: /nomad/docs/configuration/client#decompression_size_limit [artifact_env]: /nomad/docs/configuration/client#set_environment_variables [dangling_container_reconciliation]: /nomad/docs/drivers/docker#enabled +[hard_guide]: /nomad/docs/install/production/requirements#hardening-nomad