Commit graph

25039 commits

Author SHA1 Message Date
hc-github-team-nomad-core e891026755
Backport of CSI: improve controller RPC reliability into release/1.6.x (#18015)
This pull request was automerged via backport-assistant
2023-07-20 13:52:27 -05:00
hc-github-team-nomad-core 180ea2df9c
backport of commit ddd74c051a4f02a2ace43abd6e0617b8ea3c1192 (#18012)
This pull request was automerged via backport-assistant
2023-07-20 13:16:53 -05:00
hc-github-team-nomad-core 36163c36f8
backport of commit 6e4603e8ba503cd08279f50da1a4c0a5539a9768 (#18011)
This pull request was automerged via backport-assistant
2023-07-20 13:16:34 -05:00
hc-github-team-nomad-core d3b1d58c4d
backport of commit 715764bfe448fc6a80ca3858377b4f760d39c611 (#18010)
This pull request was automerged via backport-assistant
2023-07-20 11:38:52 -05:00
hc-github-team-nomad-core 963b2d97b2
Backport of [ui] When a purged/404-ing job is detected, boot the user out of that job and back to the index into release/1.6.x (#18009)
This pull request was automerged via backport-assistant
2023-07-20 11:37:06 -05:00
hc-github-team-nomad-core b1bfb59394
Backport of metrics: report task memory_max value into release/1.6.x (#18004)
This pull request was automerged via backport-assistant
2023-07-19 15:50:34 -05:00
hc-github-team-nomad-core b7689e87ec
Backport of nsd: retain query params in HTTP health checks into release/1.6.x (#18003)
This pull request was automerged via backport-assistant
2023-07-19 15:47:02 -05:00
hc-github-team-nomad-core 642cad50d8
Backport of ui: fix Topology node state filter into release/1.6.x (#18000)
This pull request was automerged via backport-assistant
2023-07-19 15:38:55 -05:00
hc-github-team-nomad-core 3011314f23
Backport of volume-status : show namespace the volume belongs to into release/1.6.x (#17997)
This pull request was automerged via backport-assistant
2023-07-19 15:37:18 -05:00
hc-github-team-nomad-core e5fb6fe687
backport of commit 615e76ef3c23497f768ebd175f0c624d32aeece8 (#17993)
This pull request was automerged via backport-assistant
2023-07-19 13:31:14 -05:00
hc-github-team-nomad-core 872db79967
Backport of updating to specify mTLS rpc endpoints into release/1.6.x (#17990)
This pull request was automerged via backport-assistant
2023-07-19 13:17:10 -05:00
Luiz Aoqui 7ddb4b3075 Merge branch 'release/1.6.0' into release/1.6.x 2023-07-19 10:47:46 -04:00
hc-github-team-nomad-core 96934ce453
backport of commit dd0bdb1e0dff2e796ad7f0418e9128fe7d864362 (#17985)
This pull request was automerged via backport-assistant
2023-07-19 09:35:46 -05:00
hc-github-team-nomad-core 46db1e76cb
backport of commit d6138ebd085573a040a9490f8592854f862dfa14 (#17982)
This pull request was automerged via backport-assistant
2023-07-19 09:21:47 -05:00
hc-github-team-nomad-core bff3663626
backport of commit bed29bf02f9ca01d615716bc0edab523717b79b3 (#17979)
This pull request was automerged via backport-assistant
2023-07-19 09:16:55 -05:00
hc-github-team-nomad-core c67a225882 Prepare for next release 2023-07-18 18:51:15 +00:00
hc-github-team-nomad-core 609a97cfab Generate files for 1.6.0 release 2023-07-18 18:51:11 +00:00
Tim Gross e8bfef8148 search: fix ACL filtering for plugins and variables
ACL permissions for the search endpoints are done in three passes. The
first (the `sufficientSearchPerms` method) is for performance and coarsely
rejects requests based on the passed-in context parameter if the user has no
permissions to any object in that context. The second (the
`filteredSearchContexts` method) filters out contexts based on whether the user
has permissions either to the requested namespace or again by context (to catch
the "all" context). Finally, when iterating over the objects available, we do
the usual filtering in the iterator.

Internal testing found several bugs in this filtering:
* CSI plugins can be searched by any authenticated user.
* Variables can be searched if the user has `job:read` permissions to the
  variable's namespace instead of `variable:list`.
* Variables cannot be searched by wildcard namespace.

This is an information leak of the plugin names and variable paths, which we
don't consider to be privileged information but intended to protect anyways.

This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st
and 2nd pass ACL filters, and changes variables to check `variable:list` in the
2nd pass filter unless the wildcard namespace is passed (at which point we'll
fallback to filtering in the iterator).

Fixes: CVE-2023-3300
Fixes: #17906
2023-07-18 12:09:55 -04:00
Luiz Aoqui ac90c6f008 acl: fix parsing of policies with blocks w/o label
An ACL policy with a block without label generates unexpected results.
For example, a policy such as this:

```
namespace {
  policy = "read"
}
```

Is applied to a namespace called `policy` instead of the documented
behaviour of applying it to the `default` namespace.

This happens because of the way HCL1 decodes blocks. Since it doesn't
know if a block is expected to have a label it applies the `key` tag to
the content of the block and, in the example above, the first key is
`policy`, so it sets that as the `namespace` block label.

Since this happens internally in the HCL decoder it's not possible to
detect the problem externally.

Fixing the problem inside the decoder is challenging because the JSON
and HCL parsers generate different ASTs that makes impossible to
differentiate between a JSON tree from an invalid HCL tree within the
decoder.

The fix in this commit consists of manually parsing the policy after
decoding to clear labels that were not set in the file. This allows the
validation rules to consistently catch and return any errors, no matter
if the policy is an invalid HCL or JSON.
2023-07-18 12:09:37 -04:00
Charlie Voiselle 58234bc243 redact token before passing to sentinel 2023-07-18 12:08:57 -04:00
hc-github-team-nomad-core c9ef870f96
backport of commit a9eecb457cef34ee856681a51af94fe0f6db4b21 (#17947)
This pull request was automerged via backport-assistant
2023-07-14 04:23:26 -05:00
hc-github-team-nomad-core 2f7892667f
backport of commit b75f9bd459700112cb31a329dc54ddeba46d749e (#17942)
This pull request was automerged via backport-assistant
2023-07-13 17:26:01 -05:00
hc-github-team-nomad-core 90a4579208
backport of commit 25a062650f38b682733fe51d886188a8d0504844 (#17922)
This pull request was automerged via backport-assistant
2023-07-12 10:17:45 -05:00
hc-github-team-nomad-core 9e31dec7ca
Backport of docs: add plugin docs for pledge task driver into release/1.6.x (#17919)
This pull request was automerged via backport-assistant
2023-07-12 10:16:57 -05:00
hc-github-team-nomad-core 048ca39403
backport of commit 0cb728ed68165888245cf8bc72e4dece5123ef4f (#17918)
This pull request was automerged via backport-assistant
2023-07-12 09:52:00 -05:00
Tim Gross 281f6e482e Merge branch 'release/1.6.0-rc.1' into release/1.6.x 2023-07-12 09:55:24 -04:00
hc-github-team-nomad-core 51eb8284c7
backport of commit 3d5bce76d00dff29c42c37bb20e38e4bf1d2187d (#17904)
This pull request was automerged via backport-assistant
2023-07-11 12:53:51 -05:00
hc-github-team-nomad-core df7bcf3ebc Prepare for next release 2023-07-11 15:19:58 +00:00
hc-github-team-nomad-core 1a1e1d5d4d Generate files for 1.6.0-rc.1 release 2023-07-11 15:19:54 +00:00
Tim Gross 6a9deaf7be Prepare release 1.6.0-rc.1 2023-07-11 11:09:18 -04:00
hc-github-team-nomad-core 0951fe1c50
backport of commit 0a5e90120b18ff450457463d6bcee68ec6804bb0 (#17900)
This pull request was automerged via backport-assistant
2023-07-11 10:00:05 -05:00
Kévin Dunglas 9f0f897077
docs: fix typo in regex_replace.mdx (#17891) 2023-07-11 14:03:40 +01:00
Lance Haig 0455389534
Add the ability to customise the details of the CA (#17309)
Co-authored-by: James Rasell <jrasell@users.noreply.github.com>
2023-07-11 08:53:09 +01:00
hashicorp-copywrite[bot] 2b85290d55
[COMPLIANCE] Add Copyright and License Headers (#17877)
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-07-11 07:48:11 +01:00
Michael Schurter c82f439a6d
remove empty file (#17853) 2023-07-10 16:34:10 -07:00
Michael Schurter 278fd44a8b
docs: v1.6.0 requires ipc_lock cap for mlock (#17881)
Fixes #17780
2023-07-10 11:53:07 -07:00
Tim Gross ad7355e58b
CSI: persist previous mounts on client to restore during restart (#17840)
When claiming a CSI volume, we need to ensure the CSI node plugin is running
before we send any CSI RPCs. This extends even to the controller publish RPC
because it requires the storage provider's "external node ID" for the
client. This primarily impacts client restarts but also is a problem if the node
plugin exits (and fingerprints) while the allocation that needs a CSI volume
claim is being placed.

Unfortunately there's no mapping of volume to plugin ID available in the
jobspec, so we don't have enough information to wait on plugins until we either
get the volume from the server or retrieve the plugin ID from data we've
persisted on the client.

If we always require getting the volume from the server before making the claim,
a client restart for disconnected clients will cause all the allocations that
need CSI volumes to fail. Even while connected, checking in with the server to
verify the volume's plugin before trying to make a claim RPC is inherently racy,
so we'll leave that case as-is and it will fail the claim if the node plugin
needed to support a newly-placed allocation is flapping such that the node
fingerprint is changing.

This changeset persists a minimum subset of data about the volume and its plugin
in the client state DB, and retrieves that data during the CSI hook's prerun to
avoid re-claiming and remounting the volume unnecessarily.

This changeset also updates the RPC handler to use the external node ID from the
claim whenever it is available.

Fixes: #13028
2023-07-10 13:20:15 -04:00
Devashish Taneja 0d9dee3cbe
Include parent job ID as a Docker container label (#17843)
Fixes: #17751
2023-07-10 11:27:45 -04:00
Daniel Bennett 30b1b88332
ci: more self-hosted iops for checks workflow (#17852) 2023-07-10 10:21:04 -05:00
James Rasell 3bfec68556
docs: detail Consul ACL token env var config option. (#17859) 2023-07-10 14:26:18 +01:00
dependabot[bot] 771a96ee55
build(deps): bump github.com/hashicorp/cronexpr in /api (#17787) 2023-07-10 11:23:00 +01:00
James Rasell 5571890974
e2e: respect timeout value when waiting for allocs in v3. (#17800) 2023-07-10 09:47:10 +01:00
Tim Gross 5025731ebe
consul: handle "not found" errors from Consul when deleting tokens (#17847)
In Consul 1.15.0, the Delete Token API was changed so as to return an error when
deleting a non-existent ACL token. This means that if Nomad successfully deletes
the token but fails to persist that fact, it will get stuck trying to delete a
non-existent token forever.

Update the token deletion function to ignore "not found" errors and treat them
as successful deletions.

Fixes: #17833
2023-07-07 16:22:13 -04:00
Daniel Bennett 30a99926dc
ci: pull secrets from Vault in nomad-enterprise (#17841) 2023-07-07 14:27:12 -05:00
Seth Hoenig 4452f0623b
env/aws: updates from ec2info (#17835) 2023-07-07 10:12:05 -05:00
Daniel Bennett a3924db96c
ci: windows tests on public runners (#17829)
currently our self-hosted windows runners lack `docker`,
so for now just revert to public runners.
2023-07-06 17:06:55 -05:00
Yorick Gersie 3e66291b0e
cni: ensure to setup CNI addresses in deterministic order (#17766)
* cni: ensure to setup CNI addresses in deterministic order

  Currently as commented in the code the go-cni library returns an unordered map
  of interfaces. In cases where there are multiple CNI interfaces being created this
  creates a problem with service registration and healthchecking because the first
  address in the map is being used.

  The use case we have where this is an issue is that we run CNI with the macvlan
  plugin to isolate workloads, but they still need to be able to access the host on
  a static address to be able to perform local resolving and hit host services like
  the Consul agent API. To make this work there are 2 options, you either add a
  macvlan interface on the host with an assigned address for each VLAN you have or
  you create an additional veth bridged interface in the container namespace.
  We chose the latter option through a custom CNI plugin but the ordering issue
  leaves us with incorrect service registration.

* Updates after feedback

 * First check for the CNIResult interfaces length, if it's zero we don't need to proceed
   at all.
 * Use sorted interfaces list for the address fallback scenario as well.
 * Remove "found" log message logic, when an address isn't found an error is returned stating
   the allocation could not be configured as an address was missing from the CNIResult. If we
   still need a Warn message then we can add it to the condition that returns the error if no
   address could be found instead of using the "found" bool logic.
2023-07-06 13:25:29 -07:00
Seth Hoenig edd0a405d7
website: use full registry name so it works with podman again (#17809) 2023-07-06 13:22:12 -05:00
Daniel Bennett c272cb0d5a
ci: clean GOCACHE before build (#17808)
this is basically to avoid Fear/Uncertainty/Doubt

the github action actions/setup-go
(and, with a different chache key, hashicorp/setup-golang)
caches both GOMODCACHE (go source files), which is good,
and GOCACHE (build outputs), which *might* be bad,
if the cache was built on an OS with an older glibc
than we want to support. from `go help cache`:
> [...] the build cache does not detect changes to
> C libraries imported with cgo.
2023-07-06 12:47:43 -05:00
Daniel Bennett 4c2cb7b701
ci: dynamic runs-on values for oss/ent (#17775)
so in enterprise we can use Vault for secrets,
without merge conflicts from oss->ent.

also:
* use hashicorp/setup-golang
* setup-js for self-hosted runners
  they don't come with yarn, nor chrome,
  and might not always match node version.
2023-07-06 12:41:17 -05:00