Commit graph

14448 commits

Author SHA1 Message Date
Michael Lange 22ce6cfe36
Freestyle entry for the new multi-select-dropdown component 2019-04-10 10:34:10 -05:00
Omar Khawaja 72a5f3defc
Nomad TLS with Vault (#5454)
* navigation and initial steps of guide

* generate certs with appropriate token

* configure Nomad to use TLS

* add cli keys and certs

* add server gossip encryption section

* fix mislabeled steps

* vault paths formatting

* remove bit about cert revocation

* add clarification in challenge that we will be securing an existing Nomad cluster

* add some comments to consul-template.hcl to help user walk through it

* clarifying comments for CLI certs templates

* reorganize steps, change permissions on certs, and sub pkill command with systemctl reload nomad

* correct step reference

* add rpc upgrade mode instructions

* correct typo
2019-04-09 12:13:37 -04:00
Michael Schurter dd8b704554 website: remove RC note from download page 2019-04-09 09:12:07 -07:00
Michael Schurter 0304d999fa Bump website to 0.9.0 2019-04-09 09:04:41 -07:00
Michael Schurter 45b4827ad7 Bump to 0.9.1-dev 2019-04-09 09:01:48 -07:00
Michael Schurter cebf677177
Release v0.9.0 2019-04-09 08:51:37 -07:00
Nomad Release bot e307734e4a Generate files for 0.9.0 release 2019-04-09 01:56:00 +00:00
Mahmood Ali 4d1a117fc2 scripts: better prerelease extractor 2019-04-08 21:42:10 -04:00
Preetha ce251020e7
Merge pull request #5524 from hashicorp/docs-remove-beta-tag
Remove beta tags from 0.9 docs
2019-04-08 11:24:03 -05:00
Preetha 18e7b319fc
Merge pull request #5523 from hashicorp/upgrade_e2e
scripts for upgrade testing
2019-04-05 14:24:11 -05:00
Preetha Appan 10822ed811
Remove beta tags from 0.9 docs 2019-04-05 14:11:56 -05:00
Nick Ethier 551710edf1
Merge pull request #5521 from hashicorp/b-docker-image-https
drivers/docker: fix image name handleing when prefixed with https://
2019-04-05 13:43:24 -04:00
Preetha Appan f0e2859c59
scripts for upgrade testing 2019-04-04 22:31:57 -05:00
Nick Ethier 4bbdb80b73
drivers/docker: fix image name handleing when prefixed with https:// 2019-04-04 22:10:18 -04:00
Michael Schurter 99de5a0043 Bump download page to 0.9.0-rc2 2019-04-03 07:46:28 -07:00
Michael Schurter 3af602b633 Remove 0.9.0-rc2 generated files 2019-04-03 07:41:09 -07:00
Michael Schurter 8bb69597a8
Release v0.9.0-rc2 2019-04-03 07:27:45 -07:00
Nomad Release bot 16b4336ccf Generate files for 0.9.0-rc2 release 2019-04-03 01:54:29 +00:00
Preetha Appan 17d4e80c16
small tweaks to load test jobs to make them work in Nomad 0.8.7 2019-04-02 20:38:56 -05:00
Mahmood Ali cf254711c6
Merge pull request #5511 from hashicorp/b-executor-path-executable
This is a follow up work to https://github.com/hashicorp/nomad/pull/4813 to fix #4809 and fix a regression introduced in 0.9 in marking files in libcontainer executable.

#4809 bug is that `lookupBin` uses `exec.LookPath` when not inspecting task dir files.  `exec.LookPath` only returns a file if it's already marked as an executable path in https://github.com/golang/go/blob/go1.12.1/src/os/exec/lp_unix.go#L24-L27 .  This affects raw exec as if passed an absolute path to file, `lookupBin` returns an error if file isn't already an executable.  This explains why the error manifests when an absolute interpolated path is used (e.g. `${NOMAD_TASK_DIR}/hellov1`) but not when using a task rel dir (e.g. `local/hellov1`) in the above examples used in ticket.

PR #4813 remedied this problem for raw exec but inadvertably broke libcontainer executor, as it made `lookupBin` returns the paths to host files rather than ones found inside chroot.

This PR reorders the evaluation, so we go back to 0.8 behavior of looking up task directories first, but then check for host paths before using `exec.LookPath`.

This PR is broken into three commits to illustrate evolution and confirming hypothesis:
1. 9adab75ac84b5c2a7b84702fae02c2484abb50ad : Adding a test illustrating how libcontainer executor fails at marking processes as executable in https://travis-ci.org/hashicorp/nomad/jobs/514942694 - note that the test doesn't depend on artifacts or interpolated paths
2. d441cdd52f68912e96dc7ee5baf2dcddb0ac8caa: reverting PR #4809 and showing the test fail now with raw_exec case (as expected) in https://travis-ci.org/hashicorp/nomad/jobs/514944065
2. 244544b735a8dbac0e14e7ee85e12a39780cbbb9: in where we add the check in appropriate place next to `exec.LookPath(...)` for absolute paths and have a green job in https://travis-ci.org/hashicorp/nomad/jobs/514945024

## Future work

Inspecting `lookupBin` in 0.8 and 0.9 case, we have a bug in using `exec.LookPath` for the libcontainer executor case.  We should be looking up paths based on the container chroot and container PATH rather than the host's.  However, this is not a 0.9.0 regression and was present in 0.8; so punting to fix it post 0.9.
2019-04-02 20:53:31 -04:00
Mahmood Ali 77a5edd3ae an alternative order 2019-04-02 20:00:54 -04:00
Mahmood Ali 334c6e9f5f try not without checking stat first 2019-04-02 19:55:44 -04:00
Mahmood Ali 17df86acda basic test for #4809 2019-04-02 19:50:35 -04:00
Michael Schurter 923cd91850
Merge pull request #5504 from hashicorp/b-exec-path
executor/linux: make chroot binary paths absolute
2019-04-02 14:09:50 -07:00
Michael Schurter 47bed4316f executor/linux: comment this bizarre code 2019-04-02 11:25:45 -07:00
Michael Schurter 1d569a27dc Revert "executor/linux: add defensive checks to binary path"
This reverts commit cb36f4537e63d53b198c2a87d1e03880895631bd.
2019-04-02 11:17:12 -07:00
Michael Schurter 18f68b0a82
Merge pull request #5503 from hashicorp/docs-nomad-oss-debug
Mention nomad-oss-debug in issue template
2019-04-02 10:08:07 -07:00
Michael Schurter ebaaf5e212 Mention nomad-oss-debug in issue template
Also reordered the sections to put the logs at the end.
2019-04-02 10:07:06 -07:00
Michael Schurter 77f99fc49c
Merge pull request #5510 from hashicorp/b-docker-stats
docker: fix send after close panic in stats
2019-04-02 10:01:28 -07:00
Michael Schurter fc5487dbbc executor/linux: add defensive checks to binary path 2019-04-02 09:40:53 -07:00
Michael Schurter ff639f9ccc docker: improve stats names and comments 2019-04-02 09:18:38 -07:00
Mahmood Ali e2723399f3
Update drivers/docker/stats.go comment
Co-Authored-By: schmichael <michael.schurter@gmail.com>
2019-04-02 09:09:17 -07:00
Michael Schurter df3467a6ce docker: fix send after close panic in stats
destCh was being written to by one goroutine and closed by another
goroutine. This panic occurred in Travis:

```
=== FAIL: drivers/docker TestDockerCoordinator_ConcurrentPulls (117.66s)
=== PAUSE TestDockerCoordinator_ConcurrentPulls
=== CONT  TestDockerCoordinator_ConcurrentPulls

panic: send on closed channel

goroutine 5358 [running]:
github.com/hashicorp/nomad/drivers/docker.dockerStatsCollector(0xc0003a4a20, 0xc0003a49c0, 0x3b9aca00)
	/home/travis/gopath/src/github.com/hashicorp/nomad/drivers/docker/stats.go:108 +0x167

created by
github.com/hashicorp/nomad/drivers/docker.TestDriver_DockerStatsCollector
	/home/travis/gopath/src/github.com/hashicorp/nomad/drivers/docker/stats_test.go:33 +0x1ab
```

The 2 ways to fix this kind of error are to either (1) add extra
coordination around multiple goroutines writing to a chan or (2) make it
so only one goroutines writes to a chan.

I implemented (2) first as it's simpler, but @notnoop pointed out since
the same destCh in reused in the stats loop there's now a double close
panic possible!

So this implements (1) by adding a *usageSender struct for handling
concurrent senders and closing.
2019-04-02 08:28:08 -07:00
Mahmood Ali dcc6ad7eda
Merge pull request #5508 from hashicorp/d-docker-force-pull-latest
document force_pull and :latest tag interaction
2019-04-02 09:37:55 -04:00
Mahmood Ali accf290d74 document force_pull and :latest tag interaction 2019-04-02 08:48:34 -04:00
Preetha Appan 19b4bb7ec3
added cpu/disk/memory stress jobs for e2e tests 2019-04-01 22:28:18 -05:00
Michael Schurter 7d49bc4c71 executor/linux: make chroot binary paths absolute
Avoid libcontainer.Process trying to lookup the binary via $PATH as the
executor has already found where the binary is located.
2019-04-01 15:45:31 -07:00
Mahmood Ali c16b7ac316
Merge pull request #5499 from hashicorp/r-fifo-plain-file
fifo: Use plain fifo file in Unix
2019-04-01 17:23:11 -04:00
Mahmood Ali cb16ad7e3f comment configureTLogging 2019-04-01 16:52:58 -04:00
Mahmood Ali 81f4f07ed7 rename fifo methods for clarity 2019-04-01 16:52:58 -04:00
Mahmood Ali e87afe465b clarify closeDone blocking and field name 2019-04-01 16:10:34 -04:00
Preetha Appan 007d771174
Added nginx to e2e test 2019-04-01 14:52:58 -05:00
Mahmood Ali 9d647713c0 no requires in a test goroutine 2019-04-01 15:38:39 -04:00
Michael Lange 6d016ed5f0
Merge pull request #5496 from hashicorp/b-ui/reattach-resources-to-stats-trackers
UI: Reattach resources to stats trackers in the event they were destroyed
2019-04-01 11:31:28 -07:00
Mahmood Ali 88dc4a255a avoid opening files just to close them 2019-04-01 13:24:18 -04:00
Mahmood Ali dac2cd3df3 Add test cases for waiting on children
Also, make the test use files just like in the non-test case.
2019-04-01 13:24:18 -04:00
Mahmood Ali 2b1f858e1b log when fifo fails to open 2019-04-01 13:18:03 -04:00
Mahmood Ali 54209489ef run fifo tests on Windows 2019-04-01 13:18:03 -04:00
Mahmood Ali 967452a3f0 fifo: Use plain fifo file in Unix
This PR switches to using plain fifo files instead of golang structs
managed by containerd/fifo library.

The library main benefit is management of opening fifo files.  In Linux,
a reader `open()` request would block until a writer opens the file (and
vice-versa).  The library uses goroutines so that it's the first IO
operation that blocks.

This benefit isn't really useful for us: Given that logmon simply
streams output in a separate process, blocking of opening or first read
is effectively the same.

The library additionally makes further complications for managing state
and tracking read/write permission that seems overhead for our use,
compared to using a file directly.

Looking here, I made the following incidental changes:
* document that we do handle if fifo files are already created, as we
rely on that behavior for logmon restarts
* use type system to lock read vs write: currently, fifo library returns
`io.ReadWriteCloser` even if fifo is opened for writing only!
2019-04-01 13:18:03 -04:00
Mahmood Ali b1666e6c8a
Merge pull request #5497 from hashicorp/b-exec-cpu-stats
exec: report cpu usage summary stat
2019-04-01 12:37:01 -04:00