luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/client/allocrunner/taskrunner
History
Seth Hoenig ff4503aac6
client: disable running artifact downloader as nobody (#16375) 
* client: disable running artifact downloader as nobody

This PR reverts a change from Nomad 1.5 where artifact downloads were
executed as the nobody user on Linux systems. This was done as an attempt
to improve the security model of artifact downloading where third party
tools such as git or mercurial would be run as the root user with all
the security implications thereof.

However, doing so conflicts with Nomad's own advice for securing the
Client data directory - which when setup with the recommended directory
permissions structure prevents artifact downloads from working as intended.

Artifact downloads are at least still now executed as a child process of
the Nomad agent, and on modern Linux systems make use of the kernel Landlock
feature for limiting filesystem access of the child process.

* docs: update upgrade guide for 1.5.1 sandboxing

* docs: add cl

* docs: add title to upgrade guide fix
2023-03-08 15:58:43 -06:00
..
getter client: disable running artifact downloader as nobody (#16375) 2023-03-08 15:58:43 -06:00
interfaces
restarts build: run gofmt on all go source files 2022-08-16 11:14:11 -05:00
state cleanup more helper updates (#14638) 2022-09-21 14:53:25 -05:00
template users: eliminate LookupGroupId and its one use case (#16093) 2023-02-08 14:57:09 -06:00
testdata
api_hook.go Task API via Unix Domain Socket (#15864) 2023-02-06 11:31:22 -08:00
api_hook_test.go Task API via Unix Domain Socket (#15864) 2023-02-06 11:31:22 -08:00
artifact_hook.go client: sandbox go-getter subprocess with landlock (#15328) 2022-12-07 16:02:25 -06:00
artifact_hook_test.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
connect_native_hook.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
connect_native_hook_test.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
device_hook.go
device_hook_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
dispatch_hook.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
dispatch_hook_test.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
driver_handle.go client: enforce max_kill_timeout client configuration 2022-07-06 15:29:38 -05:00
envoy_bootstrap_hook.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
envoy_bootstrap_hook_test.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
envoy_version_hook.go build: run gofmt on all go source files 2022-08-16 11:14:11 -05:00
envoy_version_hook_test.go cleanup: purge github.com/pkg/errors 2022-04-01 19:24:02 -05:00
errors.go
errors_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
identity_hook.go Add option to expose workload token to task (#15755) 2023-02-02 10:59:14 -08:00
identity_hook_test.go Add option to expose workload token to task (#15755) 2023-02-02 10:59:14 -08:00
lazy_handle.go
lifecycle.go Task lifecycle restart (#14127) 2022-08-24 17:43:07 -04:00
logmon_hook.go
logmon_hook_test.go cleanup more helper updates (#14638) 2022-09-21 14:53:25 -05:00
logmon_hook_unix_test.go test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
plugin_supervisor_hook.go build: run gofmt on all go source files 2022-08-16 11:14:11 -05:00
remotetask_hook.go build: run gofmt on all go source files 2022-08-16 11:14:11 -05:00
script_check_hook.go
script_check_hook_test.go services: ensure task group is set on service hook (#16240) 2023-02-22 10:22:48 -06:00
service_hook.go services: ensure task group is set on service hook (#16240) 2023-02-22 10:22:48 -06:00
service_hook_test.go Add Namespace, Job and Group to envoy stats (#14311) 2022-09-22 10:38:21 -04:00
sids_hook.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
sids_hook_test.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
stats_hook.go
stats_hook_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
task_dir_hook.go
task_runner.go client: don't emit task shutdown delay event if not waiting (#16281) 2023-03-03 18:22:06 -05:00
task_runner_getters.go Add option to expose workload token to task (#15755) 2023-02-02 10:59:14 -08:00
task_runner_hooks.go populate Nomad token for task runner update hooks (#16266) 2023-02-27 10:48:13 -05:00
task_runner_test.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
tasklet.go
tasklet_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
template_hook.go template: restore driver handle on update (#15915) 2023-01-27 10:55:59 -05:00
validate_hook.go
validate_hook_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
vault_hook.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
vault_hook_test.go
volume_hook.go volume: Add the missing option propagation_mode (#15626) 2023-01-30 09:32:07 -05:00
volume_hook_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00