Commit graph

215 commits

Author SHA1 Message Date
Mahmood Ali e29ee4c400 nomad: defensive check for namespaces in job registration call
In a job registration request, ensure that the request namespace "header" and job
namespace field match.  This should be the case already in prod, as http
handlers ensures that the values match [1].

This mitigates bugs that exploit bugs where we may check a value but act
on another, resulting into bypassing ACL system.

[1] https://github.com/hashicorp/nomad/blob/v0.9.5/command/agent/job_endpoint.go#L415-L418
2019-09-26 17:02:47 -04:00
Danielle Lancashire 78b61de45f
config: Hoist volume.config.source into volume
Currently, using a Volume in a job uses the following configuration:

```
volume "alias-name" {
  type = "volume-type"
  read_only = true

  config {
    source = "host_volume_name"
  }
}
```

This commit migrates to the following:

```
volume "alias-name" {
  type = "volume-type"
  source = "host_volume_name"
  read_only = true
}
```

The original design was based due to being uncertain about the future of storage
plugins, and to allow maxium flexibility.

However, this causes a few issues, namely:
- We frequently need to parse this configuration during submission,
scheduling, and mounting
- It complicates the configuration from and end users perspective
- It complicates the ability to do validation

As we understand the problem space of CSI a little more, it has become
clear that we won't need the `source` to be in config, as it will be
used in the majority of cases:

- Host Volumes: Always need a source
- Preallocated CSI Volumes: Always needs a source from a volume or claim name
- Dynamic Persistent CSI Volumes*: Always needs a source to attach the volumes
                                   to for managing upgrades and to avoid dangling.
- Dynamic Ephemeral CSI Volumes*: Less thought out, but `source` will probably point
                                  to the plugin name, and a `config` block will
                                  allow you to pass meta to the plugin. Or will
                                  point to a pre-configured ephemeral config.
*If implemented

The new design simplifies this by merging the source into the volume
stanza to solve the above issues with usability, performance, and error
handling.
2019-09-13 04:37:59 +02:00
Danielle Lancashire 91bb67f713
acls: Break mount acl into mount-rw and mount-ro 2019-08-21 21:17:30 +02:00
Nick Ethier 965f00b2fc
Builtin Admission Controller Framework (#6116)
* nomad: add admission controller framework

* nomad: add admission controller framework and Consul Connect hooks

* run admission controllers before checking permissions

* client: add default node meta for connect configurables

* nomad: remove validateJob func since it has been moved to admission controller

* nomad: use new TaskKind type

* client: use consts for connect sidecar image and log level

* Apply suggestions from code review

Co-Authored-By: Michael Schurter <mschurter@hashicorp.com>

* nomad: add job register test with connect sidecar

* Update nomad/job_endpoint_hooks.go

Co-Authored-By: Michael Schurter <mschurter@hashicorp.com>
2019-08-15 11:22:37 -04:00
Danielle Lancashire b38c1d810e
job_endpoint: Validate volume permissions 2019-08-12 15:39:09 +02:00
Jasmine Dahilig 8d980edd2e
add create and modify timestamps to evaluations (#5881) 2019-08-07 09:50:35 -07:00
Preetha Appan 07690d6f9e
Add flag similar to --all for allocs to be able to filter deployments by latest 2019-05-13 18:33:41 -05:00
Lang Martin eba4e29440 client fingerprinter doesn't overwrite manual configuration
Revert "Revert accidental merge of pr #5482"
This reverts commit c45652ab8c113487b9d4fbfb107782cbcf8a85b0.
2019-04-19 15:23:48 -04:00
Lang Martin a2a1e7829d Revert accidental merge of pr #5482
Revert "fingerprint Constraints and Affinities have Equals, as set"
This reverts commit 596f16fb5f1a4a6766a57b3311af806d22382609.

Revert "client tests assert the independent handling of interface and speed"
This reverts commit 7857ac5993a578474d0570819f99b7b6e027de40.

Revert "structs missed applying a style change from the review"
This reverts commit 658916e3274efa438beadc2535f47109d0c2f0f2.

Revert "client, structs comments"
This reverts commit be2838d6baa9d382a5013fa80ea016856f28ade2.

Revert "client fingerprint updateNetworks preserves the network configuration"
This reverts commit fc309cb430e62d8e66267a724f006ae9abe1c63c.

Revert "client_test cleanup comments from review"
This reverts commit bc0bf4efb9114e699bc662f50c8f12319b6b3445.

Revert "client Networks Equals is set equality"
This reverts commit f8d432345b54b1953a4a4c719b9269f845e3e573.

Revert "struct cleanup indentation in RequestedDevice Equals"
This reverts commit f4746411cab328215def6508955b160a53452da3.

Revert "struct Equals checks for identity before value checking"
This reverts commit 0767a4665ed30ab8d9586a59a74db75d51fd9226.

Revert "fix client-test, avoid hardwired platform dependecy on lo0"
This reverts commit e89dbb2ab182b6368507dbcd33c3342223eb0ae7.

Revert "refactor error in client fingerprint to include the offending data"
This reverts commit a7fed726c6e0264d42a58410d840adde780a30f5.

Revert "add client updateNodeResources to merge but preserve manual config"
This reverts commit 84bd433c7e1d030193e054ec23474380ff3b9032.

Revert "refactor struts.RequestedDevice to have its own Equals"
This reverts commit 689782524090e51183474516715aa2f34908b8e6.

Revert "refactor structs.Resource.Networks to have its own Equals"
This reverts commit 49e2e6c77bb3eaa4577772b36c62205061c92fa1.

Revert "refactor structs.Resource.Devices to have its own Equals"
This reverts commit 4ede9226bb971ae42cc203560ed0029897aec2c9.

Revert "add COMPAT(0.10): Remove in 0.10 notes to impl for structs.Resources"
This reverts commit 49fbaace5298d5ccf031eb7ebec93906e1d468b5.

Revert "add structs.Resources Equals"
This reverts commit 8528a2a2a6450e4462a1d02741571b5efcb45f0b.

Revert "test that fingerprint resources are updated, net not clobbered"
This reverts commit 8ee02ddd23bafc87b9fce52b60c6026335bb722d.
2019-04-11 10:29:40 -04:00
Lang Martin 07ff740408 fingerprint Constraints and Affinities have Equals, as set 2019-04-11 09:56:22 -04:00
Michael Schurter 188c32421a
Update nomad/job_endpoint.go
Co-Authored-By: cgbaker <cgbaker@hashicorp.com>
2019-04-10 10:34:10 -05:00
Chris Baker 0ba1600545
server/job_endpoint: accept vault token and pass as part of Job.RegisterRequest [#4555] 2019-04-10 10:34:10 -05:00
Alex Dadgar 4bdccab550 goimports 2019-01-22 15:44:31 -08:00
Danielle Tomlinson d4cbd608ff nomad: Remove on-submission job validation
With the introduction of driver plugins, we're temporarily relying on
_run time validation_ of driver configurations, rather than submission
time.
2018-11-30 10:47:08 +01:00
Alex Dadgar 3c19d01d7a server 2018-09-15 16:23:13 -07:00
Nick Ethier 50c72adbd7
nomad: code review comments 2018-06-11 13:27:48 -04:00
Nick Ethier 41e010cdc2
nomad: add 'Dispatch' field to Job
New -bash: Dispatch: command not found field is used to denote if the Job is a child dispatched job of
a parameterized job.
2018-06-11 11:59:03 -04:00
Preetha Appan bfa0937bbb
Code review feedback 2018-05-10 14:42:24 -05:00
Preetha Appan 1b8d8b2186
Fix logic inversion in force rescheduling 2018-05-08 20:00:06 -05:00
Preetha Appan c1b92c284e
Work in progress - force rescheduling of failed allocs 2018-05-08 17:26:57 -05:00
Alex Dadgar d0f237086b UX touchups 2018-04-26 15:24:27 -07:00
Chelsea Holland Komlo fca0169dbc handle potential panic in cron parsing 2018-04-26 16:57:45 -04:00
Alex Dadgar 5320205853 Sort signals in implicit constraint
Fixes https://github.com/hashicorp/nomad/issues/4212
2018-04-26 10:12:47 -07:00
Alex Dadgar 6a44e6092f Pull snapshotting out of loop 2018-03-16 10:54:26 -07:00
Alex Dadgar 586ae36d13 Batch Deregister RPC 2018-03-16 10:53:03 -07:00
Alex Dadgar fc782d5942 List unblocks on summary changes 2018-03-15 10:22:03 -07:00
Preetha 1712b03705
Merge branch 'master' into 0.8 2018-01-03 16:06:38 -06:00
Preetha Appan 3c36abfe14
Update eval modify index as part of plan apply. 2017-12-18 10:03:55 -06:00
Preetha Appan 3b4d7ac2a3
Fix some typos 2017-12-14 13:29:27 -06:00
Preetha Appan 8e01dc27a3 Use request namespace in Register method 2017-11-20 17:12:13 -06:00
Charlie Voiselle 679e49448e Changed permission check to requested namespace
Original code checked to see if the user had submit-job on the default namespace.
2017-11-20 15:00:24 -05:00
Theo Hultberg 5a6984693f
Fix error messages for transitioning jobs to/from periodic
The error messages are flipped; when you transition a job from _not_ being periodic to being periodic you get the message "cannot update periodic job to being non-periodic", and vice versa.
2017-11-18 11:50:52 +01:00
Michael Schurter 84d8a51be1 SecretID -> AuthToken 2017-10-12 15:16:33 -07:00
Michael Schurter e50acae1a9 ForceLeave endpoint must use Server.ResolveToken
The ForceLeaveRequest endpoint may only be called on servers, but the
code was using a Client to resolve tokens. This would cause a panic when
an agent wasn't both a Server and a Client.
2017-10-09 15:49:04 -07:00
Chelsea Komlo 7c8a5228d4 Merge pull request #3290 from hashicorp/f-acl-job-dispatch
Add ACL for dispatch job
2017-10-06 13:33:21 -04:00
Chelsea Komlo 97e34725e1 Merge pull request #3278 from hashicorp/f-acl-job-getjob
Add ACL for GetJob
2017-09-29 17:44:31 -04:00
Chelsea Komlo 388cdaa2e8 Merge pull request #3272 from hashicorp/f-acl-job-stable
Add ACL endpoint for Job Stable
2017-09-29 17:44:09 -04:00
Michael Schurter a66c53d45a Remove structs import from api
Goes a step further and removes structs import from api's tests as well
by moving GenerateUUID to its own package.
2017-09-29 10:36:08 -07:00
Chelsea Komlo 3a015016cc Merge pull request #3294 from hashicorp/f-acl-job-deregister
Add ACL for job deregister
2017-09-28 10:57:51 -04:00
Chelsea Komlo c54a4f7c91 Merge pull request #3291 from hashicorp/f-acl-get-job-versions
Add ACL for job endpoint GetJobVersions
2017-09-28 10:35:19 -04:00
Chelsea Holland Komlo c242ac1431 job dispatch should have dispatch policy 2017-09-28 14:28:28 +00:00
Chelsea Komlo 77ae328fbe Merge pull request #3276 from hashicorp/f-acl-job-evaluate
Add read job permissions to evaluate endpoint
2017-09-27 18:01:15 -04:00
Chelsea Komlo d3d1bc6498 Merge pull request #3279 from hashicorp/f-acl-job-allocations
Add ACL to job allocations endpoint
2017-09-27 16:57:04 -04:00
Chelsea Komlo 8f1c89c721 Merge pull request #3283 from hashicorp/f-acl-job-latest-deployment
Add ACL to latest job api
2017-09-27 16:54:44 -04:00
Chelsea Holland Komlo 1bab53c9fd acl for job deregister 2017-09-27 19:21:10 +00:00
Chelsea Komlo b40de659a7 Merge pull request #3281 from hashicorp/f-acl-job-evaluations
Add ACL for Job Evaluations endpoint
2017-09-27 15:15:35 -04:00
Chelsea Holland Komlo 36e3212012 add acl for job endpoint GetJobVersions 2017-09-27 17:29:08 +00:00
Chelsea Holland Komlo 0db1367d43 add acl for dispatch job 2017-09-27 16:33:49 +00:00
Chelsea Holland Komlo f4b7451c62 add acl to lastest job api 2017-09-26 20:53:43 +00:00
Chelsea Holland Komlo 55c4ca187e add acl for job deployments endpoint 2017-09-26 20:33:03 +00:00
Chelsea Holland Komlo a7b7b3f6c6 add acl for Job Evaluations endpoint 2017-09-26 20:12:37 +00:00
Chelsea Holland Komlo 2fb7772c2c add acl to job allocations endpoint 2017-09-26 18:01:23 +00:00
Chelsea Holland Komlo f912619157 add ACL for GetJob endpoint 2017-09-26 17:38:03 +00:00
Chelsea Holland Komlo 5f467a84d3 add read job permissions to evaluate endpoint 2017-09-26 16:05:17 +00:00
Chelsea Holland Komlo 78f853e253 add ACL endpoint for Job Stable 2017-09-25 22:17:58 +00:00
Chelsea Holland Komlo 014dc2d7de Add ACL for Revert Job endpoint 2017-09-25 21:51:19 +00:00
Chelsea Holland Komlo d9ac59f6b0 add acl for job validate endpoint 2017-09-25 17:34:02 +00:00
Alex Dadgar e5ec915ac3 sync 2017-09-19 10:08:23 -05:00
Chelsea Holland Komlo fdf6120987 add acl token as meta flag
add API test for job ACL
2017-09-15 23:33:43 +00:00
Chelsea Holland Komlo 8727092e8e add job list acl 2017-09-15 21:26:27 +00:00
Chelsea Holland Komlo 3eff2a06c5 add job endpoint ACL 2017-09-14 18:17:35 +00:00
Alex Dadgar 84d06f6abe Sync namespace changes 2017-09-07 17:04:21 -07:00
Armon Dadgar ac6283c31f nomad: enforce ACLs on job submit 2017-09-04 13:05:53 -07:00
Alex Dadgar 45712c6ca3 test fixes 2017-07-07 14:11:27 -07:00
Alex Dadgar 1cb877699a Disallow update stanza on batch jobs
This PR:
* disallows update stanzas on batch jobs
* undeprecates the stagger field
* changes the way warnings are returned
2017-07-07 12:11:39 -07:00
Alex Dadgar a7fdc74bd4 feedback 2017-07-07 12:10:04 -07:00
Alex Dadgar 5457bb7962 Job stability 2017-07-07 12:10:04 -07:00
Alex Dadgar 2471b86dec Show submit time 2017-07-07 12:07:07 -07:00
Alex Dadgar 95c7a5bcf3 job history 2017-07-07 12:05:57 -07:00
Alex Dadgar abf34204cc JobVersions returns struct with optional diff 2017-07-07 12:05:57 -07:00
Alex Dadgar f233629a4f job deployment endpoint + api 2017-07-07 12:05:56 -07:00
Alex Dadgar 8f4b22c1e1 Fix tests 2017-07-07 12:03:11 -07:00
Alex Dadgar e782c4efbe Plan reuses job where possible 2017-07-07 12:03:11 -07:00
Alex Dadgar 07b1c3e5db Only upsert a job if the spec changes and push deployment creation into reconciler 2017-07-07 12:03:11 -07:00
Michael Schurter 9c56f70d12 Validate job updates
Incurs a local read-before-write but because validation is transitive
there's no need to retry the read-validate-write on concurrent updates.
2017-06-27 16:08:18 -07:00
Alex Dadgar 919c50ba5c Merge branch 'master' into f-update-block 2017-05-11 13:08:31 -07:00
Alex Dadgar 6232b66ea7 Thread through warnings about deprecations 2017-05-09 20:52:47 -07:00
Alex Dadgar 7078d563cb Create Deployments through plan application 2017-05-05 15:33:19 -07:00
Alex Dadgar 490601f9d6 Swap validation checks 2017-04-27 10:51:28 -07:00
Alex Dadgar 321e01988a Don't allow revert to current version 2017-04-20 11:14:06 -07:00
Alex Dadgar 1b97c9abdd Revert server endpoint 2017-04-20 11:14:06 -07:00
Alex Dadgar ac5d65704f Structs 2017-04-20 11:14:06 -07:00
Alex Dadgar 34332af70e GC and some fixes 2017-04-15 17:08:05 -07:00
Alex Dadgar 7abcdff7fd GetJobVersions server endpoint 2017-04-15 17:08:05 -07:00
Alex Dadgar 103e8d21fb Fix dispatch of periodic job
This PR fixes an issue in which when a periodic and parameterized job
was dispatched, an allocation would be immediately created.

Fixes https://github.com/hashicorp/nomad/issues/2470
2017-03-27 16:55:17 -07:00
Alex Dadgar 3b9bdfef1c Make validate work without a Nomad agent 2017-03-03 15:02:03 -08:00
Alex Dadgar ed670f0226 Revert "Deregistering non-existant job returns 404" 2017-02-22 18:22:02 -08:00
Alex Dadgar 1e5183fb89 Deregistering non-existant job returns 404
Fixes https://github.com/hashicorp/nomad/issues/2326
2017-02-20 20:10:21 -08:00
Alex Dadgar b67c59f03c Merge branch 'master' into refactor-parser 2017-02-20 15:13:21 -08:00
Diptanu Choudhury 7567209857 Making the job spec return api.Job 2017-02-16 13:52:39 -08:00
Alex Dadgar 7e918003ba Allow specification of timezones 2017-02-15 14:37:06 -08:00
Alex Dadgar b69b357c7f Nomad builds 2017-02-07 20:31:23 -08:00
Michael Schurter 1f7b5b4b47 Rename Constructor -> Parameterized Job 2017-01-20 12:43:10 -08:00
Diptanu Choudhury e927de02d2 Moved functions to helper from structs 2017-01-18 15:55:14 -08:00
Alex Dadgar 8d5f0fea69 Merge pull request #2128 from hashicorp/f-dispatch
Nomad Constructor Jobs and Dispatch
2017-01-06 05:22:49 +08:00
Alex Dadgar 4e8035756b Fix test and prevent job with payload from being submitted 2016-12-18 16:32:14 -08:00
Alex Dadgar bf1e157bd8 Children fixes + nomad status outputs summaries
Children object is always initialized instead of lazily.
`nomad status` outputs children summaries and has specialized view for
constructor jobs.
2016-12-14 16:58:54 -08:00
Alex Dadgar 4a5c3c8db0 Rename structs 2016-12-14 14:28:43 -08:00
Alex Dadgar ef79e77e52 Children summary 2016-12-06 17:06:57 -08:00
Alex Dadgar 92228da6a8 Dispatch tests 2016-12-02 15:37:26 -08:00