Commit Graph

24995 Commits

Author SHA1 Message Date
hc-github-team-nomad-core b807b5d967 Prepare for next release 2023-07-21 13:49:46 +00:00
hc-github-team-nomad-core 88ea0c3cc2 Generate files for 1.6.1 release 2023-07-21 13:49:42 +00:00
hc-github-team-nomad-core 7eb6d42cb5
backport of commit 80244bb7914876278597b205324f990cbe9ee15d (#18027)
This pull request was automerged via backport-assistant
2023-07-21 08:21:21 -05:00
Luiz Aoqui 21cf30178a ui: handle errors from unimplemented services (#18020)
When a request is made to an RPC service that doesn't exist (for
example, a cross-region request from a newer version of Nomad to an
older version that doesn't implement the endpoint) the application
should return an empty list as well.
2023-07-21 09:20:00 -04:00
hc-github-team-nomad-core 63316363c9
Backport of ui: handle node pool requests to older regions into release/1.6.x (#18024)
This pull request was automerged via backport-assistant
2023-07-21 08:17:08 -05:00
hc-github-team-nomad-core 30260f06e8
Backport of state: canonicalize namespace on restore into release/1.6.x (#18018)
This pull request was automerged via backport-assistant
2023-07-20 15:05:16 -05:00
hc-github-team-nomad-core e891026755
Backport of CSI: improve controller RPC reliability into release/1.6.x (#18015)
This pull request was automerged via backport-assistant
2023-07-20 13:52:27 -05:00
hc-github-team-nomad-core 180ea2df9c
backport of commit ddd74c051a4f02a2ace43abd6e0617b8ea3c1192 (#18012)
This pull request was automerged via backport-assistant
2023-07-20 13:16:53 -05:00
hc-github-team-nomad-core 36163c36f8
backport of commit 6e4603e8ba503cd08279f50da1a4c0a5539a9768 (#18011)
This pull request was automerged via backport-assistant
2023-07-20 13:16:34 -05:00
hc-github-team-nomad-core d3b1d58c4d
backport of commit 715764bfe448fc6a80ca3858377b4f760d39c611 (#18010)
This pull request was automerged via backport-assistant
2023-07-20 11:38:52 -05:00
hc-github-team-nomad-core 963b2d97b2
Backport of [ui] When a purged/404-ing job is detected, boot the user out of that job and back to the index into release/1.6.x (#18009)
This pull request was automerged via backport-assistant
2023-07-20 11:37:06 -05:00
hc-github-team-nomad-core b1bfb59394
Backport of metrics: report task memory_max value into release/1.6.x (#18004)
This pull request was automerged via backport-assistant
2023-07-19 15:50:34 -05:00
hc-github-team-nomad-core b7689e87ec
Backport of nsd: retain query params in HTTP health checks into release/1.6.x (#18003)
This pull request was automerged via backport-assistant
2023-07-19 15:47:02 -05:00
hc-github-team-nomad-core 642cad50d8
Backport of ui: fix Topology node state filter into release/1.6.x (#18000)
This pull request was automerged via backport-assistant
2023-07-19 15:38:55 -05:00
hc-github-team-nomad-core 3011314f23
Backport of volume-status : show namespace the volume belongs to into release/1.6.x (#17997)
This pull request was automerged via backport-assistant
2023-07-19 15:37:18 -05:00
hc-github-team-nomad-core e5fb6fe687
backport of commit 615e76ef3c23497f768ebd175f0c624d32aeece8 (#17993)
This pull request was automerged via backport-assistant
2023-07-19 13:31:14 -05:00
hc-github-team-nomad-core 872db79967
Backport of updating to specify mTLS rpc endpoints into release/1.6.x (#17990)
This pull request was automerged via backport-assistant
2023-07-19 13:17:10 -05:00
Luiz Aoqui 7ddb4b3075 Merge branch 'release/1.6.0' into release/1.6.x 2023-07-19 10:47:46 -04:00
hc-github-team-nomad-core 96934ce453
backport of commit dd0bdb1e0dff2e796ad7f0418e9128fe7d864362 (#17985)
This pull request was automerged via backport-assistant
2023-07-19 09:35:46 -05:00
hc-github-team-nomad-core 46db1e76cb
backport of commit d6138ebd085573a040a9490f8592854f862dfa14 (#17982)
This pull request was automerged via backport-assistant
2023-07-19 09:21:47 -05:00
hc-github-team-nomad-core bff3663626
backport of commit bed29bf02f9ca01d615716bc0edab523717b79b3 (#17979)
This pull request was automerged via backport-assistant
2023-07-19 09:16:55 -05:00
hc-github-team-nomad-core c67a225882 Prepare for next release 2023-07-18 18:51:15 +00:00
hc-github-team-nomad-core 609a97cfab Generate files for 1.6.0 release 2023-07-18 18:51:11 +00:00
Tim Gross e8bfef8148 search: fix ACL filtering for plugins and variables
ACL permissions for the search endpoints are done in three passes. The
first (the `sufficientSearchPerms` method) is for performance and coarsely
rejects requests based on the passed-in context parameter if the user has no
permissions to any object in that context. The second (the
`filteredSearchContexts` method) filters out contexts based on whether the user
has permissions either to the requested namespace or again by context (to catch
the "all" context). Finally, when iterating over the objects available, we do
the usual filtering in the iterator.

Internal testing found several bugs in this filtering:
* CSI plugins can be searched by any authenticated user.
* Variables can be searched if the user has `job:read` permissions to the
  variable's namespace instead of `variable:list`.
* Variables cannot be searched by wildcard namespace.

This is an information leak of the plugin names and variable paths, which we
don't consider to be privileged information but intended to protect anyways.

This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st
and 2nd pass ACL filters, and changes variables to check `variable:list` in the
2nd pass filter unless the wildcard namespace is passed (at which point we'll
fallback to filtering in the iterator).

Fixes: CVE-2023-3300
Fixes: #17906
2023-07-18 12:09:55 -04:00
Luiz Aoqui ac90c6f008 acl: fix parsing of policies with blocks w/o label
An ACL policy with a block without label generates unexpected results.
For example, a policy such as this:

```
namespace {
  policy = "read"
}
```

Is applied to a namespace called `policy` instead of the documented
behaviour of applying it to the `default` namespace.

This happens because of the way HCL1 decodes blocks. Since it doesn't
know if a block is expected to have a label it applies the `key` tag to
the content of the block and, in the example above, the first key is
`policy`, so it sets that as the `namespace` block label.

Since this happens internally in the HCL decoder it's not possible to
detect the problem externally.

Fixing the problem inside the decoder is challenging because the JSON
and HCL parsers generate different ASTs that makes impossible to
differentiate between a JSON tree from an invalid HCL tree within the
decoder.

The fix in this commit consists of manually parsing the policy after
decoding to clear labels that were not set in the file. This allows the
validation rules to consistently catch and return any errors, no matter
if the policy is an invalid HCL or JSON.
2023-07-18 12:09:37 -04:00
Charlie Voiselle 58234bc243 redact token before passing to sentinel 2023-07-18 12:08:57 -04:00
hc-github-team-nomad-core c9ef870f96
backport of commit a9eecb457cef34ee856681a51af94fe0f6db4b21 (#17947)
This pull request was automerged via backport-assistant
2023-07-14 04:23:26 -05:00
hc-github-team-nomad-core 2f7892667f
backport of commit b75f9bd459700112cb31a329dc54ddeba46d749e (#17942)
This pull request was automerged via backport-assistant
2023-07-13 17:26:01 -05:00
hc-github-team-nomad-core 90a4579208
backport of commit 25a062650f38b682733fe51d886188a8d0504844 (#17922)
This pull request was automerged via backport-assistant
2023-07-12 10:17:45 -05:00
hc-github-team-nomad-core 9e31dec7ca
Backport of docs: add plugin docs for pledge task driver into release/1.6.x (#17919)
This pull request was automerged via backport-assistant
2023-07-12 10:16:57 -05:00
hc-github-team-nomad-core 048ca39403
backport of commit 0cb728ed68165888245cf8bc72e4dece5123ef4f (#17918)
This pull request was automerged via backport-assistant
2023-07-12 09:52:00 -05:00
Tim Gross 281f6e482e Merge branch 'release/1.6.0-rc.1' into release/1.6.x 2023-07-12 09:55:24 -04:00
hc-github-team-nomad-core 51eb8284c7
backport of commit 3d5bce76d00dff29c42c37bb20e38e4bf1d2187d (#17904)
This pull request was automerged via backport-assistant
2023-07-11 12:53:51 -05:00
hc-github-team-nomad-core df7bcf3ebc Prepare for next release 2023-07-11 15:19:58 +00:00
hc-github-team-nomad-core 1a1e1d5d4d Generate files for 1.6.0-rc.1 release 2023-07-11 15:19:54 +00:00
Tim Gross 6a9deaf7be Prepare release 1.6.0-rc.1 2023-07-11 11:09:18 -04:00
hc-github-team-nomad-core 0951fe1c50
backport of commit 0a5e90120b18ff450457463d6bcee68ec6804bb0 (#17900)
This pull request was automerged via backport-assistant
2023-07-11 10:00:05 -05:00
Kévin Dunglas 9f0f897077
docs: fix typo in regex_replace.mdx (#17891) 2023-07-11 14:03:40 +01:00
Lance Haig 0455389534
Add the ability to customise the details of the CA (#17309)
Co-authored-by: James Rasell <jrasell@users.noreply.github.com>
2023-07-11 08:53:09 +01:00
hashicorp-copywrite[bot] 2b85290d55
[COMPLIANCE] Add Copyright and License Headers (#17877)
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-07-11 07:48:11 +01:00
Michael Schurter c82f439a6d
remove empty file (#17853) 2023-07-10 16:34:10 -07:00
Michael Schurter 278fd44a8b
docs: v1.6.0 requires ipc_lock cap for mlock (#17881)
Fixes #17780
2023-07-10 11:53:07 -07:00
Tim Gross ad7355e58b
CSI: persist previous mounts on client to restore during restart (#17840)
When claiming a CSI volume, we need to ensure the CSI node plugin is running
before we send any CSI RPCs. This extends even to the controller publish RPC
because it requires the storage provider's "external node ID" for the
client. This primarily impacts client restarts but also is a problem if the node
plugin exits (and fingerprints) while the allocation that needs a CSI volume
claim is being placed.

Unfortunately there's no mapping of volume to plugin ID available in the
jobspec, so we don't have enough information to wait on plugins until we either
get the volume from the server or retrieve the plugin ID from data we've
persisted on the client.

If we always require getting the volume from the server before making the claim,
a client restart for disconnected clients will cause all the allocations that
need CSI volumes to fail. Even while connected, checking in with the server to
verify the volume's plugin before trying to make a claim RPC is inherently racy,
so we'll leave that case as-is and it will fail the claim if the node plugin
needed to support a newly-placed allocation is flapping such that the node
fingerprint is changing.

This changeset persists a minimum subset of data about the volume and its plugin
in the client state DB, and retrieves that data during the CSI hook's prerun to
avoid re-claiming and remounting the volume unnecessarily.

This changeset also updates the RPC handler to use the external node ID from the
claim whenever it is available.

Fixes: #13028
2023-07-10 13:20:15 -04:00
Devashish Taneja 0d9dee3cbe
Include parent job ID as a Docker container label (#17843)
Fixes: #17751
2023-07-10 11:27:45 -04:00
Daniel Bennett 30b1b88332
ci: more self-hosted iops for checks workflow (#17852) 2023-07-10 10:21:04 -05:00
James Rasell 3bfec68556
docs: detail Consul ACL token env var config option. (#17859) 2023-07-10 14:26:18 +01:00
dependabot[bot] 771a96ee55
build(deps): bump github.com/hashicorp/cronexpr in /api (#17787) 2023-07-10 11:23:00 +01:00
James Rasell 5571890974
e2e: respect timeout value when waiting for allocs in v3. (#17800) 2023-07-10 09:47:10 +01:00
Tim Gross 5025731ebe
consul: handle "not found" errors from Consul when deleting tokens (#17847)
In Consul 1.15.0, the Delete Token API was changed so as to return an error when
deleting a non-existent ACL token. This means that if Nomad successfully deletes
the token but fails to persist that fact, it will get stuck trying to delete a
non-existent token forever.

Update the token deletion function to ignore "not found" errors and treat them
as successful deletions.

Fixes: #17833
2023-07-07 16:22:13 -04:00
Daniel Bennett 30a99926dc
ci: pull secrets from Vault in nomad-enterprise (#17841) 2023-07-07 14:27:12 -05:00