* Changelog and lintfix
* Changelog removed
* Forbidden state on individual variables
* CanRead checked on variable path links
* Mirage fixture with lesser secure variables access, temporary fix for * namespaces
* Read flow acceptance tests
* Unit tests for variable.canRead
* lintfix
* TODO squashed, thanks Jai
* explicitly link mirage fixture vars to jobs via namespace
* Typofix; delete to read
* Linking the original alloc
* Percy snapshots uniquely named
* Guarantee that the alloc we depend on has tasks within it
* Logging variables
* Trying to skip delete
* Now without create flow either
* Dedicated cluster fixture for testing variables
* Disambiguate percy calls
This commit includes the new state schema for ACL roles along with
state interaction functions for CRUD actions.
The change also includes snapshot persist and restore
functionality and the addition of FSM messages for Raft updates
which will come via RPC endpoints.
* Check against all your policies' namespaces' secvars' paths' capabilities to see if you can list vars
* Changelog and lintfix
* Unit tests for list-vars
* Removed unused computed dep
* Changelog removed
The QEMU driver can take an optional `graceful_shutdown` configuration
which will create a Unix socket to send ACPI shutdown signal to the VM.
Unix sockets have a hard length limit and the driver implementation
assumed that QEMU versions 2.10.1 were able to handle longer paths. This
is not correct, the linked QEMU fix only changed the behaviour from
silently truncating longer socket paths to throwing an error.
By validating the socket path before starting the QEMU machine we can
provide users a more actionable and meaningful error message, and by
using a shorter socket file name we leave a bit more room for
user-defined values in the path, such as the task name.
The maximum length allowed is also platform-dependant, so validation
needs to be different for each OS.
UID/GID 0 is usually reserved for the root user/group. While Nomad
clients are expected to run as root it may not always be the case.
Setting these values as -1 if not defined will fallback to the pervious
behaviour of not attempting to set file ownership and use whatever
UID/GID the Nomad agent is running as. It will also keep backwards
compatibility, which is specially important for platforms where this
feature is not supported, like Windows.
When a QEMU task is recovered the monitor socket path was not being
restored into the task handler, so the `graceful_shutdown` configuration
was effectively ignored if the client restarted.
This PR enables setting of the headers block on services registered
into Nomad's service provider. Works just like the existing support
in Consul checks.
### Description
Pattern matching was [recently added](https://github.com/hashicorp/crt-orchestrator/pull/51) so that teams no longer have to explicitly list every branch that should trigger the CRT pipeline. This simplifies release preparation- anytime a new release branch is created, it will produce releasable artifacts and exercise the full pipeline.
### Testing & Reproduction steps
This has been tested in multiple projects since being rolled out. There are no nomad-specific tests that need to be done.
### Links
PR where this functionality was added: https://github.com/hashicorp/crt-orchestrator/pull/51
### PR Checklist
* [ ] updated test coverage
* [ ] external facing docs updated
* [X] not a security concern
This PR hopefully fixes a race condition of our little test tcp server
that the check observer is making connections against for test cases.
The tcp listener would either startup too slow or exit too soon.
