client: disable running artifact downloader as nobody (#16375)

* client: disable running artifact downloader as nobody

This PR reverts a change from Nomad 1.5 where artifact downloads were
executed as the nobody user on Linux systems. This was done as an attempt
to improve the security model of artifact downloading where third party
tools such as git or mercurial would be run as the root user with all
the security implications thereof.

However, doing so conflicts with Nomad's own advice for securing the
Client data directory - which when setup with the recommended directory
permissions structure prevents artifact downloads from working as intended.

Artifact downloads are at least still now executed as a child process of
the Nomad agent, and on modern Linux systems make use of the kernel Landlock
feature for limiting filesystem access of the child process.

* docs: update upgrade guide for 1.5.1 sandboxing

* docs: add cl

* docs: add title to upgrade guide fix
This commit is contained in:
Seth Hoenig 2023-03-08 15:58:43 -06:00 committed by GitHub
parent 2b5efeac04
commit ff4503aac6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 10 deletions

3
.changelog/16375.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
client: Fixed a bug where artifact downloading failed on hardened nodes
```

View File

@ -7,7 +7,6 @@ import (
"path/filepath"
"syscall"
"github.com/hashicorp/nomad/helper/users"
"github.com/shoenig/go-landlock"
)
@ -37,17 +36,11 @@ func attributes() *syscall.SysProcAttr {
}
// credentials returns the UID and GID of the user the child process
// will run as. On Linux systems this will be the nobody user if Nomad
// is being run as the root user, or the user Nomad is being run as
// otherwise.
// will run as - for now this is always the same user the Nomad agent is
// running as.
func credentials() (uint32, uint32) {
switch userUID {
case 0:
return users.NobodyIDs()
default:
return userUID, userGID
}
}
// defaultEnvironment is the default minimal environment variables for Linux.
func defaultEnvironment(taskDir string) map[string]string {

View File

@ -13,6 +13,22 @@ upgrade. However, specific versions of Nomad may have more details provided for
their upgrades as a result of new features or changed behavior. This page is
used to document those details separately from the standard upgrade flow.
## Nomad 1.5.1
#### Artifact Download Regression Fix
Nomad 1.5.1 reverts a behavior of 1.5.0 where artifact downloads were executed
as the `nobody` user on compatible Linux systems. This was done optimistically
as defense against compromised artifact endpoints attempting to exploit the
Nomad Client or tools it uses to perform downloads such as git or mercurial.
Unfortunately running the child process as any user other than root is not
compatible with the advice given in Nomad's [security hardening guide][hard_guide]
which calls for a specific directory tree structure making such operation impossible.
Other changes to artifact downloading remain - they are executed as a child
process of the Nomad agent, and on modern Linux systems make use of the Kernel
landlock feature to restrict filesystem access from that process.
## Nomad 1.5.0
#### Pause Container Reconciliation Regression
@ -1691,3 +1707,4 @@ deleted and then Nomad 0.3.0 can be launched.
[decompression_size_limit]: /nomad/docs/configuration/client#decompression_size_limit
[artifact_env]: /nomad/docs/configuration/client#set_environment_variables
[dangling_container_reconciliation]: /nomad/docs/drivers/docker#enabled
[hard_guide]: /nomad/docs/install/production/requirements#hardening-nomad