ff4503aac6
* client: disable running artifact downloader as nobody This PR reverts a change from Nomad 1.5 where artifact downloads were executed as the nobody user on Linux systems. This was done as an attempt to improve the security model of artifact downloading where third party tools such as git or mercurial would be run as the root user with all the security implications thereof. However, doing so conflicts with Nomad's own advice for securing the Client data directory - which when setup with the recommended directory permissions structure prevents artifact downloads from working as intended. Artifact downloads are at least still now executed as a child process of the Nomad agent, and on modern Linux systems make use of the kernel Landlock feature for limiting filesystem access of the child process. * docs: update upgrade guide for 1.5.1 sandboxing * docs: add cl * docs: add title to upgrade guide fix |
||
---|---|---|
.. | ||
error.go | ||
error_test.go | ||
params.go | ||
params_test.go | ||
replacer_test.go | ||
sandbox.go | ||
sandbox_test.go | ||
testing.go | ||
util.go | ||
util_default.go | ||
util_linux.go | ||
util_linux_test.go | ||
util_test.go | ||
util_windows.go | ||
z_getter_cmd.go |