Commit Graph

24873 Commits

Author SHA1 Message Date
hc-github-team-nomad-core 609a97cfab Generate files for 1.6.0 release 2023-07-18 18:51:11 +00:00
Tim Gross e8bfef8148 search: fix ACL filtering for plugins and variables
ACL permissions for the search endpoints are done in three passes. The
first (the `sufficientSearchPerms` method) is for performance and coarsely
rejects requests based on the passed-in context parameter if the user has no
permissions to any object in that context. The second (the
`filteredSearchContexts` method) filters out contexts based on whether the user
has permissions either to the requested namespace or again by context (to catch
the "all" context). Finally, when iterating over the objects available, we do
the usual filtering in the iterator.

Internal testing found several bugs in this filtering:
* CSI plugins can be searched by any authenticated user.
* Variables can be searched if the user has `job:read` permissions to the
  variable's namespace instead of `variable:list`.
* Variables cannot be searched by wildcard namespace.

This is an information leak of the plugin names and variable paths, which we
don't consider to be privileged information but intended to protect anyways.

This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st
and 2nd pass ACL filters, and changes variables to check `variable:list` in the
2nd pass filter unless the wildcard namespace is passed (at which point we'll
fallback to filtering in the iterator).

Fixes: CVE-2023-3300
Fixes: #17906
2023-07-18 12:09:55 -04:00
Luiz Aoqui ac90c6f008 acl: fix parsing of policies with blocks w/o label
An ACL policy with a block without label generates unexpected results.
For example, a policy such as this:

```
namespace {
  policy = "read"
}
```

Is applied to a namespace called `policy` instead of the documented
behaviour of applying it to the `default` namespace.

This happens because of the way HCL1 decodes blocks. Since it doesn't
know if a block is expected to have a label it applies the `key` tag to
the content of the block and, in the example above, the first key is
`policy`, so it sets that as the `namespace` block label.

Since this happens internally in the HCL decoder it's not possible to
detect the problem externally.

Fixing the problem inside the decoder is challenging because the JSON
and HCL parsers generate different ASTs that makes impossible to
differentiate between a JSON tree from an invalid HCL tree within the
decoder.

The fix in this commit consists of manually parsing the policy after
decoding to clear labels that were not set in the file. This allows the
validation rules to consistently catch and return any errors, no matter
if the policy is an invalid HCL or JSON.
2023-07-18 12:09:37 -04:00
Charlie Voiselle 58234bc243 redact token before passing to sentinel 2023-07-18 12:08:57 -04:00
hc-github-team-nomad-core c9ef870f96
backport of commit a9eecb457cef34ee856681a51af94fe0f6db4b21 (#17947)
This pull request was automerged via backport-assistant
2023-07-14 04:23:26 -05:00
hc-github-team-nomad-core 2f7892667f
backport of commit b75f9bd459700112cb31a329dc54ddeba46d749e (#17942)
This pull request was automerged via backport-assistant
2023-07-13 17:26:01 -05:00
hc-github-team-nomad-core 90a4579208
backport of commit 25a062650f38b682733fe51d886188a8d0504844 (#17922)
This pull request was automerged via backport-assistant
2023-07-12 10:17:45 -05:00
hc-github-team-nomad-core 9e31dec7ca
Backport of docs: add plugin docs for pledge task driver into release/1.6.x (#17919)
This pull request was automerged via backport-assistant
2023-07-12 10:16:57 -05:00
hc-github-team-nomad-core 048ca39403
backport of commit 0cb728ed68165888245cf8bc72e4dece5123ef4f (#17918)
This pull request was automerged via backport-assistant
2023-07-12 09:52:00 -05:00
Tim Gross 281f6e482e Merge branch 'release/1.6.0-rc.1' into release/1.6.x 2023-07-12 09:55:24 -04:00
hc-github-team-nomad-core 51eb8284c7
backport of commit 3d5bce76d00dff29c42c37bb20e38e4bf1d2187d (#17904)
This pull request was automerged via backport-assistant
2023-07-11 12:53:51 -05:00
hc-github-team-nomad-core df7bcf3ebc Prepare for next release 2023-07-11 15:19:58 +00:00
hc-github-team-nomad-core 1a1e1d5d4d Generate files for 1.6.0-rc.1 release 2023-07-11 15:19:54 +00:00
Tim Gross 6a9deaf7be Prepare release 1.6.0-rc.1 2023-07-11 11:09:18 -04:00
hc-github-team-nomad-core 0951fe1c50
backport of commit 0a5e90120b18ff450457463d6bcee68ec6804bb0 (#17900)
This pull request was automerged via backport-assistant
2023-07-11 10:00:05 -05:00
Kévin Dunglas 9f0f897077
docs: fix typo in regex_replace.mdx (#17891) 2023-07-11 14:03:40 +01:00
Lance Haig 0455389534
Add the ability to customise the details of the CA (#17309)
Co-authored-by: James Rasell <jrasell@users.noreply.github.com>
2023-07-11 08:53:09 +01:00
hashicorp-copywrite[bot] 2b85290d55
[COMPLIANCE] Add Copyright and License Headers (#17877)
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-07-11 07:48:11 +01:00
Michael Schurter c82f439a6d
remove empty file (#17853) 2023-07-10 16:34:10 -07:00
Michael Schurter 278fd44a8b
docs: v1.6.0 requires ipc_lock cap for mlock (#17881)
Fixes #17780
2023-07-10 11:53:07 -07:00
Tim Gross ad7355e58b
CSI: persist previous mounts on client to restore during restart (#17840)
When claiming a CSI volume, we need to ensure the CSI node plugin is running
before we send any CSI RPCs. This extends even to the controller publish RPC
because it requires the storage provider's "external node ID" for the
client. This primarily impacts client restarts but also is a problem if the node
plugin exits (and fingerprints) while the allocation that needs a CSI volume
claim is being placed.

Unfortunately there's no mapping of volume to plugin ID available in the
jobspec, so we don't have enough information to wait on plugins until we either
get the volume from the server or retrieve the plugin ID from data we've
persisted on the client.

If we always require getting the volume from the server before making the claim,
a client restart for disconnected clients will cause all the allocations that
need CSI volumes to fail. Even while connected, checking in with the server to
verify the volume's plugin before trying to make a claim RPC is inherently racy,
so we'll leave that case as-is and it will fail the claim if the node plugin
needed to support a newly-placed allocation is flapping such that the node
fingerprint is changing.

This changeset persists a minimum subset of data about the volume and its plugin
in the client state DB, and retrieves that data during the CSI hook's prerun to
avoid re-claiming and remounting the volume unnecessarily.

This changeset also updates the RPC handler to use the external node ID from the
claim whenever it is available.

Fixes: #13028
2023-07-10 13:20:15 -04:00
Devashish Taneja 0d9dee3cbe
Include parent job ID as a Docker container label (#17843)
Fixes: #17751
2023-07-10 11:27:45 -04:00
Daniel Bennett 30b1b88332
ci: more self-hosted iops for checks workflow (#17852) 2023-07-10 10:21:04 -05:00
James Rasell 3bfec68556
docs: detail Consul ACL token env var config option. (#17859) 2023-07-10 14:26:18 +01:00
dependabot[bot] 771a96ee55
build(deps): bump github.com/hashicorp/cronexpr in /api (#17787) 2023-07-10 11:23:00 +01:00
James Rasell 5571890974
e2e: respect timeout value when waiting for allocs in v3. (#17800) 2023-07-10 09:47:10 +01:00
Tim Gross 5025731ebe
consul: handle "not found" errors from Consul when deleting tokens (#17847)
In Consul 1.15.0, the Delete Token API was changed so as to return an error when
deleting a non-existent ACL token. This means that if Nomad successfully deletes
the token but fails to persist that fact, it will get stuck trying to delete a
non-existent token forever.

Update the token deletion function to ignore "not found" errors and treat them
as successful deletions.

Fixes: #17833
2023-07-07 16:22:13 -04:00
Daniel Bennett 30a99926dc
ci: pull secrets from Vault in nomad-enterprise (#17841) 2023-07-07 14:27:12 -05:00
Seth Hoenig 4452f0623b
env/aws: updates from ec2info (#17835) 2023-07-07 10:12:05 -05:00
Daniel Bennett a3924db96c
ci: windows tests on public runners (#17829)
currently our self-hosted windows runners lack `docker`,
so for now just revert to public runners.
2023-07-06 17:06:55 -05:00
Yorick Gersie 3e66291b0e
cni: ensure to setup CNI addresses in deterministic order (#17766)
* cni: ensure to setup CNI addresses in deterministic order

  Currently as commented in the code the go-cni library returns an unordered map
  of interfaces. In cases where there are multiple CNI interfaces being created this
  creates a problem with service registration and healthchecking because the first
  address in the map is being used.

  The use case we have where this is an issue is that we run CNI with the macvlan
  plugin to isolate workloads, but they still need to be able to access the host on
  a static address to be able to perform local resolving and hit host services like
  the Consul agent API. To make this work there are 2 options, you either add a
  macvlan interface on the host with an assigned address for each VLAN you have or
  you create an additional veth bridged interface in the container namespace.
  We chose the latter option through a custom CNI plugin but the ordering issue
  leaves us with incorrect service registration.

* Updates after feedback

 * First check for the CNIResult interfaces length, if it's zero we don't need to proceed
   at all.
 * Use sorted interfaces list for the address fallback scenario as well.
 * Remove "found" log message logic, when an address isn't found an error is returned stating
   the allocation could not be configured as an address was missing from the CNIResult. If we
   still need a Warn message then we can add it to the condition that returns the error if no
   address could be found instead of using the "found" bool logic.
2023-07-06 13:25:29 -07:00
Seth Hoenig edd0a405d7
website: use full registry name so it works with podman again (#17809) 2023-07-06 13:22:12 -05:00
Daniel Bennett c272cb0d5a
ci: clean GOCACHE before build (#17808)
this is basically to avoid Fear/Uncertainty/Doubt

the github action actions/setup-go
(and, with a different chache key, hashicorp/setup-golang)
caches both GOMODCACHE (go source files), which is good,
and GOCACHE (build outputs), which *might* be bad,
if the cache was built on an OS with an older glibc
than we want to support. from `go help cache`:
> [...] the build cache does not detect changes to
> C libraries imported with cgo.
2023-07-06 12:47:43 -05:00
Daniel Bennett 4c2cb7b701
ci: dynamic runs-on values for oss/ent (#17775)
so in enterprise we can use Vault for secrets,
without merge conflicts from oss->ent.

also:
* use hashicorp/setup-golang
* setup-js for self-hosted runners
  they don't come with yarn, nor chrome,
  and might not always match node version.
2023-07-06 12:41:17 -05:00
am-ak 3ca370dd03
docs: fix broken link in security model docs (#17812)
correcting a broken link under "similar to consul" and correcting list formatting under "general mechanisms"
2023-07-06 10:01:36 -04:00
Patric Stout ebb363d43e
metrics: add "total_ticks_count" for CPU metrics (#17579)
This counter tells you the total amount of ticks for that CPU
entry since the start of Nomad.
2023-07-05 10:28:55 -04:00
deverton-godaddy f44793d377
[api] Add NetworkStatus to allocation response (#17280)
Service discovery or mesh network systems consuming the Nomad event stream or API need to know the CNI assigned IP for the allocation. This data is returned by the underlying Nomad API but isn't mapped in the response struct.
2023-07-04 19:35:38 -04:00
James Rasell 4289de5986
docs: fix up constraint jobspec HCL format. (#17795) 2023-07-04 13:33:46 +01:00
Phil Renaud 5cc0b39683
Report shows a 3rd party browser extension puts a banner at the top of page and awkwardly shifts nav; this fixes that (#17783) 2023-06-30 17:09:42 -04:00
Phil Renaud d559072e48
[ui] Text wrap long lines of code and logs (#17754)
* Text and code wrapping as a localStorage var

* task-log uses wrapping and kb shortcut

* Word wrap keyboard labels

* Wrapper as a toggle not a button

* Changelog and fixed an extra space trailing log lines

* Moves toggle to inside

* Acceptance tests for ww and toggle click
2023-06-30 17:07:57 -04:00
Tim Gross e7cc7f2123
docs: clarify network topology requirements for clients (#17779)
The requirements for client-to-server and client-to-client topologies are not
well-documented in the production install requirements docs. Document that
clients make connections to servers (and not the other way around), and that
clients don't need to communicate with each other (with some exceptions).

Fixes: #17631
2023-06-30 10:46:29 -04:00
James Rasell 45073e8a05
job: ensure node pool is canonicalized for state restores. (#17765) 2023-06-30 07:37:22 +01:00
Sarah Thompson 8c6cc5b1d8
Update the revision used by the docker build action. (#17755)
Update the revision used by the docker action. This should always reflect the commit that's being built as this may differ from the default <github.sha> that the workflow was invoked at.

Goes with https://github.com/hashicorp/actions-docker-build/pull/59 - and should not be merged until this PR is merged and a new version of the action is cut.
2023-06-29 09:19:54 -04:00
Phil Renaud 01d6a94eac
[ui] HCL-in-UI: Re-arrange buttons, add save-as-file (#17752)
* Move buttons over as expected

* Let a user download file locally

* test mock fns for jobeditor

* Changelog
2023-06-28 21:57:03 -04:00
Daniel Bennett 77a8d79bb5
e2e: use DNS instead of HTTP to get my_public_ipv4 (#17759) 2023-06-28 13:11:57 -05:00
Tim Gross 70eca4e7f9
Merge pull request #17758 from hashicorp/post-release-1.6.0-beta.1
Post release 1.6.0 beta.1
2023-06-28 12:26:00 -04:00
hc-github-team-nomad-core 6f5401ae3a Prepare for next release 2023-06-28 11:06:28 -04:00
hc-github-team-nomad-core 5c703a49b1 Generate files for 1.6.0-beta.1 release 2023-06-28 11:06:20 -04:00
Tim Gross 6a24ffac1c release: submit build workflow from the file on the release's own branch 2023-06-28 11:06:13 -04:00
Tim Gross 06c7974120 Prepare release 1.6.0-beta.1 2023-06-28 11:06:05 -04:00