Commit graph

16162 commits

Author SHA1 Message Date
Danielle fee482ae6c
Merge pull request #6331 from hashicorp/dani/f-volume-mount-propagation
volumes: Add support for mount propagation
2019-10-14 14:29:40 +02:00
Danielle Lancashire 4fbcc668d0
volumes: Add support for mount propagation
This commit introduces support for configuring mount propagation when
mounting volumes with the `volume_mount` stanza on Linux targets.

Similar to Kubernetes, we expose 3 options for configuring mount
propagation:

- private, which is equivalent to `rprivate` on Linux, which does not allow the
           container to see any new nested mounts after the chroot was created.

- host-to-task, which is equivalent to `rslave` on Linux, which allows new mounts
                that have been created _outside of the container_ to be visible
                inside the container after the chroot is created.

- bidirectional, which is equivalent to `rshared` on Linux, which allows both
                 the container to see new mounts created on the host, but
                 importantly _allows the container to create mounts that are
                 visible in other containers an don the host_

private and host-to-task are safe, but bidirectional mounts can be
dangerous, as if the code inside a container creates a mount, and does
not clean it up before tearing down the container, it can cause bad
things to happen inside the kernel.

To add a layer of safety here, we require that the user has ReadWrite
permissions on the volume before allowing bidirectional mounts, as a
defense in depth / validation case, although creating mounts should also require
a priviliged execution environment inside the container.
2019-10-14 14:09:58 +02:00
Michael Lange 2949a38f7c
Merge pull request #6396 from hashicorp/d-updated-ui-guides
Docs: Updated UI guides
2019-10-11 10:33:37 -07:00
Luiz Aoqui 14cda1aa0a
Merge pull request #6473 from hashicorp/docs-fix-acl-prefix-param
docs: fix ACL `prefix` param documentation
2019-10-11 10:51:34 -04:00
Luiz Aoqui 488a2f6f3a
docs: fix ACL prefix param documentation 2019-10-11 10:28:44 -04:00
Danielle a17a0cde80
Merge pull request #6472 from hashicorp/b-docs-config
docs: Update stateful workloads guide to reflect rc-1 config changes
2019-10-11 15:08:12 +02:00
Danielle 71fe2bd981
Merge pull request #6071 from hashicorp/dani/hclfmt
make: Add task for formatting hcl/nomad files
2019-10-11 15:08:00 +02:00
Danielle Lancashire 199d24d6bf
chore: initial hclfmt 2019-10-11 14:00:05 +02:00
Danielle Lancashire 935c86b404
make: Add make task for formatting HCL 2019-10-11 13:59:22 +02:00
Danielle Lancashire 4056899708
docs: Update stateful workloads guide to reflect rc-1 config changes 2019-10-11 13:45:28 +02:00
Danielle 2640155ae5
Merge pull request #6429 from hashicorp/f-log-to-file
Add support for logging to a file
2019-10-11 13:35:39 +02:00
Michael Schurter 7ece26cf8a
Merge pull request #6469 from hashicorp/docs-0100-rc1
docs: 0.10.0-beta1 -> 0.10.0-rc1
2019-10-10 13:36:25 -07:00
Michael Schurter 9d85df26dd docs: 0.10.0-beta1 -> 0.10.0-rc1 2019-10-10 13:09:19 -07:00
Michael Schurter ce09070176
Merge pull request #6465 from hashicorp/docs-nobeta
docs: remove beta flag from connect
2019-10-10 13:05:45 -07:00
Lang Martin 1f8a538186
Merge pull request #6467 from hashicorp/test-disable-test-rkt
circleci: disable test-rkt, which is deprecated and often fails
2019-10-10 15:49:46 -04:00
Michael Schurter 9b073b8113
Merge pull request #6468 from hashicorp/release-fix-dist
release: tag on HEAD not master
2019-10-10 11:55:34 -07:00
Michael Schurter d29ff2a1b0 release: tag on HEAD not master 2019-10-10 11:49:59 -07:00
Michael Schurter 890409864d
Merge pull request #6464 from hashicorp/docs-noraft
docs: drop raft from 0.10.0 upgrade guide
2019-10-10 11:13:00 -07:00
Lang Martin d1e173c476 circleci: disable test-rkt, which is deprecated and often fails 2019-10-10 13:46:33 -04:00
Michael Schurter a32aa7c819 docs: remove beta flag from connect 2019-10-10 10:31:06 -07:00
Michael Schurter dd7b9adcf8 docs: drop raft from 0.10.0 upgrade guide
Unforutunately we are not changing the default for 0.10.0 and the 0.8
upgrade docs are more detailed when it comes to manually updating your
version.
2019-10-10 10:22:36 -07:00
Danielle Lancashire 5cedf6d024
logging: Correctly track number of written bytes
Currently this assumes that a short write will never happen. While these
are improbable in a case where rotation being off a few bytes would
matter, this now correctly tracks the number of written bytes.
2019-10-10 14:02:14 +02:00
Danielle Lancashire b67215d4f8
logging: Sort files when pruning old logs
Currently this logging implementation is dependent on the order of files
as returned by filepath.Glob, which although internal methods are
documented to be lexographical, does not publicly document this. Here we
defensively resort.
2019-10-10 13:51:16 +02:00
Emamul Andalib fcd70b91ac Update consul.html.md (#6456)
"you may have have" to "you may have".
2019-10-09 12:35:16 -04:00
Omar Khawaja 9f8cc217e6
update Nomad and Consul versions along with Ubuntu vagrant box version (#6451) 2019-10-09 12:30:23 -04:00
Luiz Aoqui 3be8364636
Merge pull request #6444 from hashicorp/docs-add-prefix-param-to-acl-endpoints
docs: improve documentation for `prefix` param on API endpoints
2019-10-08 19:08:27 -04:00
Luiz Aoqui 521c0ad2a5
docs: clarify prefix API param requirements 2019-10-08 18:11:56 -04:00
Preetha e0b4ebe0b4
Merge pull request #6439 from hashicorp/f-docs-clarify-job-gc-interval
clarify version for new gc config in server stanza
2019-10-08 16:43:03 -05:00
Chris Baker cb11b77724
Merge pull request #6428 from Norbinsh/master
Docs: remove small duplication
2019-10-08 16:40:04 -05:00
Seth Hoenig fd75d8a487
Merge pull request #6447 from hashicorp/contributing-doc-tweaks
contributing: fix typo & append RPC checklist
2019-10-08 14:54:56 -05:00
Seth Hoenig e2b34550d6 contributing: fix typo & append RPC checklist 2019-10-08 19:28:35 +00:00
Michael Schurter 5f1ab36638
Merge pull request #6443 from hashicorp/docs-jobspec-checklist
docs: add sidebar to jobspec checklist
2019-10-08 12:27:28 -07:00
Buck Doyle 9a3a6c3f62
UI: Update to Ember 3.8 LTS (#5968) 2019-10-08 13:44:19 -05:00
Michael Schurter c0cfb1f9f0
Merge pull request #6446 from hashicorp/revert-6445-revert-6395-b-missing-vault-sercret
Revert "Revert "Use joint context to cancel prestart hooks""
2019-10-08 11:35:34 -07:00
Michael Schurter f54f1cb321
Revert "Revert "Use joint context to cancel prestart hooks"" 2019-10-08 11:34:09 -07:00
Michael Schurter fb835b19be
Merge pull request #6445 from hashicorp/revert-6395-b-missing-vault-sercret
Revert "Use joint context to cancel prestart hooks"
2019-10-08 11:28:18 -07:00
Michael Schurter 81a30ae106
Revert "Use joint context to cancel prestart hooks" 2019-10-08 11:27:08 -07:00
Luiz Aoqui b9ef978641
docs: add missing prefix param to the ACL API endpoints 2019-10-08 14:13:36 -04:00
Michael Schurter 3d3a445ee7 docs: add sidebar to jobspec checklist 2019-10-08 10:55:53 -07:00
Mahmood Ali e8942312bb
Merge pull request #6442 from hashicorp/b-alloc-namespace-check
acl: check ACL against object namespace
2019-10-08 13:26:38 -04:00
Mahmood Ali 4b2ba62e35 acl: check ACL against object namespace
Fix a bug where a millicious user can access or manipulate an alloc in a
namespace they don't have access to.  The allocation endpoints perform
ACL checks against the request namespace, not the allocation namespace,
and performs the allocation lookup independently from namespaces.

Here, we check that the requested can access the alloc namespace
regardless of the declared request namespace.

Ideally, we'd enforce that the declared request namespace matches
the actual allocation namespace.  Unfortunately, we haven't documented
alloc endpoints as namespaced functions; we suspect starting to enforce
this will be very disruptive and inappropriate for a nomad point
release.  As such, we maintain current behavior that doesn't require
passing the proper namespace in request.  A future major release may
start enforcing checking declared namespace.
2019-10-08 12:59:22 -04:00
Mahmood Ali b89712432b
Merge pull request #6440 from hashicorp/docs-release-096
Update website and changelog with 0.9.6
2019-10-08 12:56:27 -04:00
Mahmood Ali 3c0d8c7611
Merge pull request #6441 from hashicorp/b-agent-token
Redact replication tokens in /agent/self
2019-10-08 12:55:45 -04:00
Mahmood Ali 0f105215d9 update CHANGELOG with 0.9.6 changes 2019-10-08 12:50:53 -04:00
Mahmood Ali 1563c64bae website: Publish release 0.9.6 2019-10-08 12:48:05 -04:00
Preetha Appan 350e7f6952 clarify version for new gc config in server stanza 2019-10-08 10:08:27 -05:00
Charlie Voiselle 1276b84301
Merge pull request #6435 from hashicorp/doc-host-volume-update
Docs: Updated Host Volumes guide
2019-10-08 09:13:09 -04:00
Charlie Voiselle 9e8d9c2c8c Updated Host Volumes guide
Added read_only to highlight them
Style updates
2019-10-07 14:17:30 -04:00
Omar Khawaja 01f2ca6941
Upgrade Nomad terraform directory for TF 0.12+ (#6424)
* update

* fix error

* convert server ips in list of string and loop through for output

* drop the for loop in outputs and keep the join command

* switched to TF 0.12 splat expression
2019-10-07 12:43:42 -04:00
Danielle Lancashire 9eaac48f25
agent: Refactor log setup to support log-to-file 2019-10-07 14:42:32 +02:00