Commit graph

1547 commits

Author SHA1 Message Date
Jasmine Dahilig ca4be6857e
deployment query rate limit (#10706) 2021-06-04 12:38:46 -07:00
Seth Hoenig 4c087efd59
Merge pull request #10702 from hashicorp/f-cc-constraints
consul/connect: use additional constraints in scheduling connect tasks
2021-06-04 08:11:21 -05:00
Tim Gross 8b2ecde5b4 csi: accept list of caps during validation in volume register
When `nomad volume create` was introduced in Nomad 1.1.0, we changed the
volume spec to take a list of capabilities rather than a single capability, to
meet the requirements of the CSI spec. When a volume is registered via `nomad
volume register`, we should be using the same fields to validate the volume
with the controller plugin.
2021-06-04 07:57:26 -04:00
Seth Hoenig d359eb6f3a consul/connect: use additional constraints in scheduling connect tasks
This PR adds two additional constraints on Connect sidecar and gateway tasks,
making sure Nomad schedules them only onto nodes where Connect is actually
enabled on the Consul agent.

Consul requires `connect.enabled = true` and `ports.grpc = <number>` to be
explicitly set on agent configuration before Connect APIs will work. Until
now, Nomad would only validate a minimum version of Consul, which would cause
confusion for users who try to run Connect tasks on nodes where Consul is not
yet sufficiently configured. These contstraints prevent job scheduling on nodes
where Connect is not actually use-able.

Closes #10700
2021-06-03 15:43:34 -05:00
Seth Hoenig 77702945e2
Merge branch 'main' into f-consul-fp 2021-06-03 15:14:02 -05:00
Seth Hoenig 549c68a922
Apply suggestions from code review
Co-authored-by: Tim Gross <tgross@hashicorp.com>
2021-06-03 15:12:23 -05:00
Tim Gross c01d661c98 csi: validate volume block has attachment_mode and access_mode
The `attachment_mode` and `access_mode` fields are required for CSI
volumes. The `mount_options` block is only allowed for CSI volumes.
2021-06-03 16:07:19 -04:00
Mahmood Ali 3226f70d7e
update changelog (#10701) 2021-06-03 14:54:39 -04:00
Seth Hoenig b9f04c0e88 docs: update cl 2021-06-03 12:58:16 -05:00
Tim Gross dbd493d26f docs: changelog entries for 1.1.1 and backports 2021-06-03 08:50:06 -04:00
Tim Gross 9e23884c16 docs: changelog entry for 10539 2021-05-25 09:57:22 -04:00
Luiz Aoqui c1ef539fa3
Display confirmation message on 'nomad volume delete' and 'nomad volume deregister' 2021-05-24 12:02:55 -04:00
Tim Gross 258352957a changelog: add missing GH link 2021-05-24 11:52:18 -04:00
Tim Gross 82fe7300e5
cli: improve wildcard namespace prefix matches (#10648)
When a wildcard namespace is used for `nomad job` commands that support prefix
matching, avoid asking the user for input if a prefix is an unambiguous exact
match so that the behavior is similar to the commands using a specific or
unset namespace.
2021-05-24 11:38:05 -04:00
Tim Gross 41d364ad81 docs: improve documentation for CSI create/register mount_options
Adds clarification to `nomad volume create` commands around how the `volume`
block in the jobspec overrides this behavior. Adds missing section to `nomad
volume register` and to example volume spec for both commands.
2021-05-24 11:13:58 -04:00
Szabolcs Gelencsér fc97bd6acf
events: fix slow client connection to empty event stream (#10637)
* events: fix slow client connection to empty event stream

* doc: fix changelog of event stream connection init
2021-05-21 13:17:07 -04:00
Mahmood Ali b518454bf8
cli: Handle nil MemoryMaxMB (#10620)
Handle when MemoryMaxMB is nil, as expected when a new 1.1.0 is hitting
a pre-1.1.0 Server.
2021-05-19 16:56:06 -04:00
Tim Gross ddde007b66 release 1.1.0: bump version and changelog info 2021-05-18 11:56:19 -04:00
Seth Hoenig 81c5b0dc25 docs: run changelogfmt 2021-05-18 09:15:55 -06:00
Seth Hoenig 591f0f0219 docs: minor wording tweaks + cl 2021-05-17 12:52:52 -06:00
Tim Gross 5a92e3fd5c fix missing changelog entries from backports 2021-05-17 10:04:22 -04:00
Seth Hoenig 1e75f99839 drivers/docker+exec+java: disable net_raw capability by default
The default Linux Capabilities set enabled by the docker, exec, and
java task drivers includes CAP_NET_RAW (for making ping just work),
which has the side affect of opening an ARP DoS/MiTM attack between
tasks using bridge networking on the same host network.

https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

This PR disables CAP_NET_RAW for the docker, exec, and java task
drivers. The previous behavior can be restored for docker using the
allow_caps docker plugin configuration option.

A future version of nomad will enable similar configurability for the
exec and java task drivers.
2021-05-12 13:22:09 -07:00
Drew Bailey a805cd8f52
check and return error from parsing var-files (#10569)
* check and return error from parsing var-files

* changelog entry for 1.1.0 and 1.0.5
2021-05-12 09:08:59 -04:00
Chris Baker 263ddd567c
Node Drain Metadata (#10250) 2021-05-07 13:58:40 -04:00
Tim Gross 1fdb4c1511 documentation for disable_default_tcp_check 2021-05-07 13:16:39 -04:00
Seth Hoenig 9f7c410087
Merge pull request #10492 from hashicorp/b-expose-diff
connect: use deterministic injected dynamic exposed port label
2021-05-03 09:00:34 -06:00
Seth Hoenig b024d85f48 connect: use deterministic injected dynamic exposed port
This PR uses the checksum of the check for which a dynamic exposed
port is being generated (instead of a UUID prefix) so that the
generated port label is deterministic.

This fixes 2 bugs:
 - 'job plan' output is now idempotent for jobs making use of injected ports
 - tasks will no longer be destructively updated when jobs making use of
   injected ports are re-run without changing any user specified part of
   job config.

Closes: https://github.com/hashicorp/nomad/issues/10099
2021-04-30 15:18:22 -06:00
Michael Schurter 68ca087bde docs: add #9895 to the changelog 2021-04-30 12:47:40 -07:00
Tim Gross bf2ab548b8 changelog: ensure all backports shown 2021-04-30 14:53:37 -04:00
Mahmood Ali 2e01d623b7 batch update changelog 2021-04-30 13:18:00 -04:00
Michael Schurter 547a718ef6
Merge pull request #10248 from hashicorp/f-remotetask-2021
core: propagate remote task handles
2021-04-30 08:57:26 -07:00
Luiz Aoqui 2949a40ddf
changelog: add entry for blocked eval metrics (#10475) 2021-04-29 15:32:30 -04:00
Michael Schurter 76e56254e1 docs: mention remote task drivers 2021-04-29 09:22:33 -07:00
Buck Doyle 1b1805e8d9
changelog: Add missed UI entries for 1.1 (#10467) 2021-04-29 09:11:06 -05:00
Buck Doyle b9f462fdc1
ui: Add optional memory max to task details ribbon (#10459)
This is the first step in #10268. If a maximum is not specified, the
task group sum uses the memory number instead. The maximum is only
shown when it’s higher than the memory sum.
2021-04-28 15:38:14 -05:00
Tim Gross 9e1d4981f0
docs: Enterprise licensing updates 2021-04-28 14:46:06 -04:00
Buck Doyle 6d037633da
ui: Change global search to use fuzzy search API (#10412)
This updates the UI to use the new fuzzy search API. It’s a drop-in
replacement so the / shortcut to jump to search is preserved, and
results can be cycled through and chosen via arrow keys and the
enter key.

It doesn’t use everything returned by the API:
* deployments and evaluations: these match by id, doesn’t seem like
  people would know those or benefit from quick navigation to them
* namespaces: doesn’t seem useful as they currently function
* scaling policies
* tasks: the response doesn’t include an allocation id, which means they
  can’t be navigated to in the UI without an additional query
* CSI volumes: aren’t actually returned by the API

Since there’s no API to check the server configuration and know whether
the feature has been disabled, this adds another query in
route:application#beforeModel that acts as feature detection: if the
attempt to query fails (500), the global search field is hidden.

Upon having added another query on load, I realised that beforeModel was
being triggered any time service:router#transitionTo was being called,
which happens upon navigating to a search result, for instance, because
of refreshModel being present on the region query parameter. This PR
adds a check for transition.queryParamsOnly and skips rerunning the
onload queries (token permissions check, license check, fuzzy search
feature detection).

Implementation notes:

* there are changes to unrelated tests to ignore the on-load feature
  detection query
* some lifecycle-related guards against undefined were required to
  address failures when navigating to an allocation
* the minimum search length of 2 characters is hard-coded as there’s
  currently no way to determine min_term_length in the UI
2021-04-28 13:31:05 -05:00
Seth Hoenig d76bcf0e12
Merge pull request #10457 from hashicorp/b-igce-wildcard
consul/connect: fix bug where ingress gateways could not use wildcard services
2021-04-27 14:41:47 -06:00
Seth Hoenig a7a37af94b
Merge pull request #10455 from hashicorp/b-cc-uppercase
consul/connect: check connect group and service names for uppercase characters
2021-04-27 14:40:31 -06:00
Seth Hoenig 865c7a5841 consul/connect: fix bug where ingress gateways could not use wildcard services
This PR fixes a bug where Nomad was more restrictive on Ingress Gateway Configuration
Entry definitions than Consul. Before, Nomad would not allow for declaring IGCEs with
http listeners with service name "*", which is a special feature allowable by Consul.

Note: to make http protocol work, a service-default must be defined setting the
protocol to http for each service.

Fixes: #9729
2021-04-27 13:42:26 -06:00
Seth Hoenig f47c6d34f7 consul/connect: check connect group and service names for uppercase characters
This PR adds job-submission validation that checks for the use of uppercase characters
in group and service names for services that make use of Consul Connect. This prevents
attempting to launch services that Consul will not validate correctly, which in turn
causes tasks to fail to launch in Nomad.

Underlying Consul issue: https://github.com/hashicorp/consul/issues/6765

Closes #7581 #10450
2021-04-27 11:26:37 -06:00
Seth Hoenig 238ac718f2 connect: use exp backoff when waiting on consul envoy bootstrap
This PR wraps the use of the consul envoy bootstrap command in
an expoenential backoff closure, configured to timeout after 60
seconds. This is an increase over the current behavior of making
3 attempts over 6 seconds.

Should help with #10451
2021-04-27 09:21:50 -06:00
Luiz Aoqui 2011e15d63
changelog: add entry for #10348 (#10349) 2021-04-23 11:25:31 -04:00
Charlie Voiselle 5d9e4fcf25
Add PR 10404 to CHANGELOG (#10415) 2021-04-20 14:01:22 -04:00
Seth Hoenig 4e6dbaaec1
Merge pull request #10184 from hashicorp/f-fuzzy-search
api: implement fuzzy search API
2021-04-20 09:06:40 -06:00
Buck Doyle 90ecbdf522
Add job version revert buttons (#10336)
This adds a Revert two-step button to the JobVersions component for
not-current versions, which redirects to the overview on success. It
checks the job version before and after reversion to mitigate the edge
case where reverting to an otherwise-identical version has no effect, as
discussed in #10337.

It uses existing facilities for handling other errors and disabling the
button when permissions are lacking.
2021-04-20 08:33:16 -05:00
Seth Hoenig 1ee8d5ffc5 api: implement fuzzy search API
This PR introduces the /v1/search/fuzzy API endpoint, used for fuzzy
searching objects in Nomad. The fuzzy search endpoint routes requests
to the Nomad Server leader, which implements the Search.FuzzySearch RPC
method.

Requests to the fuzzy search API are based on the api.FuzzySearchRequest
object, e.g.

{
  "Text": "ed",
  "Context": "all"
}

Responses from the fuzzy search API are based on the api.FuzzySearchResponse
object, e.g.

{
  "Index": 27,
  "KnownLeader": true,
  "LastContact": 0,
  "Matches": {
    "tasks": [
      {
        "ID": "redis",
        "Scope": [
          "default",
          "example",
          "cache"
        ]
      }
    ],
    "evals": [],
    "deployment": [],
    "volumes": [],
    "scaling_policy": [],
    "images": [
      {
        "ID": "redis:3.2",
        "Scope": [
          "default",
          "example",
          "cache",
          "redis"
        ]
      }
    ]
  },
  "Truncations": {
    "volumes": false,
    "scaling_policy": false,
    "evals": false,
    "deployment": false
  }
}

The API is tunable using the new server.search stanza, e.g.

server {
  search {
    fuzzy_enabled   = true
    limit_query     = 200
    limit_results   = 1000
    min_term_length = 5
  }
}

These values can be increased or decreased, so as to provide more
search results or to reduce load on the Nomad Server. The fuzzy search
API can be disabled entirely by setting `fuzzy_enabled` to `false`.
2021-04-16 16:36:07 -06:00
Tim Gross 0518552e4d docs: changelog and upgrade note for iptables improvement 2021-04-15 10:19:37 -04:00
Tim Gross d643823c50 changelog entries for networking improvements 2021-04-13 10:07:02 -04:00
Tim Gross 715460804a fixup changelog 2021-04-13 09:15:35 -04:00
Nick Spain 64508ce494 Update changelog to mention adding the 'body' field 2021-04-13 09:15:35 -04:00
Tim Gross b96744ba82 changelog entry for 'nomad ui -authenticate' 2021-04-12 11:01:20 -04:00
James Rasell 08c62a16b3 changelog: add entry for #10253 2021-04-12 10:35:33 -04:00
Tim Gross 0892d34ff9 CSI: capability block is required for volume registration 2021-04-08 13:02:24 -04:00
Chris Baker 90fc940e00 updated changelog 2021-04-06 20:27:12 +00:00
Chris Baker 6000d6cecd sdk: header map copy to avoid race condition in #10301 2021-04-06 18:06:27 +00:00
Seth Hoenig fe8fce00d9 consul: minor CR cleanup 2021-04-05 10:10:16 -06:00
Seth Hoenig f17ba33f61 consul: plubming for specifying consul namespace in job/group
This PR adds the common OSS changes for adding support for Consul Namespaces,
which is going to be a Nomad Enterprise feature. There is no new functionality
provided by this changeset and hopefully no new bugs.
2021-04-05 10:03:19 -06:00
Drew Bailey 6f97cbfc93
changelog entry for on_update configuration settings (#10299)
* changelog entry for on_update configuration settings

* Update CHANGELOG.md

Co-authored-by: Tim Gross <tgross@hashicorp.com>

Co-authored-by: Tim Gross <tgross@hashicorp.com>
2021-04-05 11:04:03 -04:00
Drew Bailey 4f378b7f41
license changelog (#10298) 2021-04-05 10:57:20 -04:00
Chris Baker 436d46bd19
Merge branch 'main' into f-node-drain-api 2021-04-01 15:22:57 -05:00
Tim Gross 4d30e1ce1a changelog: add section for backports from 1.1.0 to 1.0.5
* Fixed order
* Added missing changlog entry for GH-10145
* Fixed misclassified entry for GH-10158
2021-03-30 15:53:17 -04:00
Seth Hoenig 03ed2a8035
Merge pull request #10243 from apollo13/issue10239
Automatically populate `CONSUL_HTTP_ADDR` for connect native tasks in host networking mode.
2021-03-30 09:00:17 -05:00
Dave May ba4da7efca
debug: Remove extra linefeed in monitor.log (#10252) 2021-03-29 09:22:27 -04:00
Florian Apolloner b9b71e7ac5 Automatically populate CONSUL_HTTP_ADDR for connect native tasks in host networking mode. Fixes #10239 2021-03-28 14:34:31 +02:00
Chris Baker 0c590476fd t push
changelog for #10202
2021-03-23 20:33:56 +00:00
Mahmood Ali 24d7395bfc
Update changelog with v0.12.11 (#10214) 2021-03-23 08:28:44 -04:00
Tim Gross fa25e048b2
CSI: unique volume per allocation
Add a `PerAlloc` field to volume requests that directs the scheduler to test
feasibility for volumes with a source ID that includes the allocation index
suffix (ex. `[0]`), rather than the exact source ID.

Read the `PerAlloc` field when making the volume claim at the client to
determine if the allocation index suffix (ex. `[0]`) should be added to the
volume source ID.
2021-03-18 15:35:11 -04:00
Tim Gross 9b2b580d1a
CSI: remove prefix matching from CSIVolumeByID and fix CLI prefix matching (#10158)
Callers of `CSIVolumeByID` are generally assuming they should receive a single
volume. This potentially results in feasibility checking being performed
against the wrong volume if a volume's ID is a prefix substring of other
volume (for example: "test" and "testing").

Removing the incorrect prefix matching from `CSIVolumeByID` breaks prefix
matching in the command line client. Add the required elements for prefix
matching to the commands and API.
2021-03-18 14:32:40 -04:00
davemay99 76bb4351a6 CHANGELOG: Add missing 0.12.10 version 2021-03-15 08:35:03 -04:00
Florian Apolloner a0873d5da4
docker: support configuring default log driver in plugin options 2021-03-12 16:04:33 -05:00
Tim Gross 0e3264aa4f scheduler/csi: fix early return when multiple volumes are requested
When multiple CSI volumes are requested, the feasibility check could return
early for read/write volumes with free claims, even if a later volume in the
request was not feasible for any other reason (including not existing at
all). This can result in random failure to fail feasibility checking,
depending on how the map of volumes was being ordered at runtime.

Remove the early return from the feasibility check. Add a test to verify that
missing volumes in the map will cause a failure; this test will not catch a
regression every test run because of the random map ordering, but any failure
will be caught over the course of several CI runs.
2021-03-10 15:18:36 -05:00
James Rasell e9d81ace7b
Merge pull request #10140 from hashicorp/b-gh-10070
agent: return req error if prometheus metrics are disabled.
2021-03-10 17:11:39 +01:00
Tim Gross 2f343370fb changelog: fix position of entry 2021-03-09 10:47:13 -05:00
James Rasell f68cf1dfef
changelog: add entry for #10140 2021-03-09 15:29:25 +01:00
Dave May e93b49a119
debug: update defaults to commonly used values 2021-03-09 08:31:38 -05:00
Michael Schurter 15e3d61e59 client: fix task name logging 2021-03-08 09:15:02 -08:00
Tim Gross d983d79ec2 docs: changelog entry for extra docker labels 2021-03-08 09:06:53 -05:00
Buck Doyle 523d868f4c
Fix rendering of DAS interstitial components (#10094)
With the Ember update, when the will-destroy action is called
to check the element height, its height is already zero. That
seems strange but I didn’t look into it any further, as
using did-insert to store the element lets us check its height
before any other actions when a processing button is pressed.
2021-03-01 09:46:22 -06:00
Andre Ilhicas 30c840e88e
consul/connect: enable setting local_bind_address in upstream 2021-02-26 11:47:00 +00:00
Dave May cd506cb887
Handle Consul API URL protocol mismatch (#10082) 2021-02-25 08:22:44 -05:00
Seth Hoenig 194dc9ff4a docs: add two community PRs to changelog 2021-02-24 10:21:34 -06:00
Tim Gross 800c46de96 post-1.0.4 release prep 2021-02-24 09:56:53 -05:00
Seth Hoenig 24a1238e48
Merge pull request #10080 from hashicorp/b-gw-updated
consul/connect: correctly detect when connect tasks not updated
2021-02-23 15:28:53 -06:00
Seth Hoenig 4f759f1cc8 consul/connect: correctly detect when connect tasks not updated
This PR fixes a bug where tasks with Connect services could be
triggered to destructively update (i.e. placed in a new alloc)
when no update should be necessary.

Fixes #10077
2021-02-23 15:12:49 -06:00
Tim Gross 3352801ba7 changelog: fix link for GH-9937 2021-02-23 16:04:14 -05:00
Michael Lange 3f7d1b72b8 CHANGELOG entries for some 1.0.4 UI bug fixes 2021-02-23 09:45:15 -08:00
Tim Gross b764f52ab9
deploymentwatcher: reset progress deadline on promotion (#10042)
In a deployment with two groups (ex. A and B), if group A's canary becomes
healthy before group B's, the deadline for the overall deployment will be set
to that of group A. When the deployment is promoted, if group A is done it
will not contribute to the next deadline cutoff. Group B's old deadline will
be used instead, which will be in the past and immediately trigger a
deployment progress failure. Reset the progress deadline when the job is
promotion to avoid this bug, and to better conform with implicit user
expectations around how the progress deadline should interact with promotions.
2021-02-22 16:44:03 -05:00
Seth Hoenig d557d6bf94 consul/connect: Fix bug where connect sidecar services would be unnecessarily re-registered
This PR fixes a bug where sidecar services would be re-registered into Consul every ~30
seconds, caused by the parent service having its tags field set and the sidecar_service
tags unset. Nomad would directly compare the tags between its copy of the sidecar service
definition and the tags of the sidecar service reported by Consul. This does not work,
because Consul will under-the-hood set the sidecar service tags to inherit the parent
service tags if the sidecar service tags are unset. The comparison then done by Nomad
would not match, if the parent sidecar tags are set.

Fixes #10025
2021-02-22 12:02:58 -06:00
Buck Doyle ee564ff1ca
changelog: add entries for 1.0.4 (#10048) 2021-02-18 11:58:38 -06:00
Tim Gross a527d5f897 changelog: missing changelog items for 1.0.4 2021-02-18 11:35:42 -05:00
Drew Bailey b09655a8e3
update changelog (#10034)
* update changelog

* fix changelog order
2021-02-16 12:50:08 -05:00
Nick Ethier fcc1f4c805
Merge pull request #9946 from hashicorp/b-9477
structs: namespace port validation by host_network
2021-02-11 12:53:28 -05:00
Seth Hoenig 7d6e81e9e4
Merge pull request #9990 from hashicorp/f-nsiso-task
drivers/exec+java: Add task configuration to restore previous PID/IPC isolation behavior
2021-02-09 13:29:14 -06:00
Seth Hoenig 6d30783679 docs: fix egregious changelog ordering 2021-02-09 12:33:03 -06:00
Seth Hoenig 45e0e70a50 consul/connect: enable custom sidecars to use expose checks
This PR enables jobs configured with a custom sidecar_task to make
use of the `service.expose` feature for creating checks on services
in the service mesh. Before we would check that sidecar_task had not
been set (indicating that something other than envoy may be in use,
which would not support envoy's expose feature). However Consul has
not added support for anything other than envoy and probably never
will, so having the restriction in place seems like an unnecessary
hindrance. If Consul ever does support something other than Envoy,
they will likely find a way to provide the expose feature anyway.

Fixes #9854
2021-02-09 10:49:37 -06:00
Seth Hoenig 8ee9835923 drivers/exec+java: Add task configuration to restore previous PID/IPC isolation behavior
This PR adds pid_mode and ipc_mode options to the exec and java task
driver config options. By default these will defer to the default_pid_mode
and default_ipc_mode agent plugin options created in #9969. Setting
these values to "host" mode disables isolation for the task. Doing so
is not recommended, but may be necessary to support legacy job configurations.

Closes #9970
2021-02-08 14:26:35 -06:00
Nick Ethier b0a49ff37a
Update CHANGELOG.md 2021-02-08 14:14:39 -05:00
Seth Hoenig 4bc6e5a215 drivers/exec+java: Add configuration to restore previous PID/IPC namespace behavior.
This PR adds default_pid_mode and default_ipc_mode options to the exec and java
task drivers. By default these will default to "private" mode, enabling PID and
IPC isolation for tasks. Setting them to "host" mode disables isolation. Doing
so is not recommended, but may be necessary to support legacy job configurations.

Closes #9969
2021-02-05 15:52:11 -06:00
Nick Ethier eacc4da499
Merge branch 'master' into b-9477 2021-02-05 11:58:13 -05:00