luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/client/interfaces/client.go
Michael Schurter 2965dc6a1a
artifact: fix numerous go-getter security issues 
Fix numerous go-getter security issues:

- Add timeouts to http, git, and hg operations to prevent DoS
- Add size limit to http to prevent resource exhaustion
- Disable following symlinks in both artifacts and `job run`
- Stop performing initial HEAD request to avoid file corruption on
  retries and DoS opportunities.

**Approach**

Since Nomad has no ability to differentiate a DoS-via-large-artifact vs
a legitimate workload, all of the new limits are configurable at the
client agent level.

The max size of HTTP downloads is also exposed as a node attribute so
that if some workloads have large artifacts they can specify a high
limit in their jobspecs.

In the future all of this plumbing could be extended to enable/disable
specific getters or artifact downloading entirely on a per-node basis.
2022-05-24 16:29:39 -04:00

39 lines
1.2 KiB
Go
Raw Blame History

package interfaces
import (
"github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/plugins/device"
)
type Client interface {
AllocStateHandler
}
// AllocStateHandler exposes a handler to be called when an allocation's state changes
type AllocStateHandler interface {
// AllocStateUpdated is used to emit an updated allocation. This allocation
// is stripped to only include client settable fields.
AllocStateUpdated(alloc *structs.Allocation)
// PutAllocation is used to persist an updated allocation in the local state store.
PutAllocation(*structs.Allocation) error
}
// DeviceStatsReporter gives access to the latest resource usage
// for devices
type DeviceStatsReporter interface {
LatestDeviceResourceStats([]*structs.AllocatedDeviceResource) []*device.DeviceGroupStats
}
// EnvReplacer is an interface which can interpolate environment variables and
// is usually satisfied by taskenv.TaskEnv.
type EnvReplacer interface {
ReplaceEnv(string) string
ClientPath(string, bool) (string, bool)
}
// ArtifactGetter is an interface satisfied by the helper/getter package.
type ArtifactGetter interface {
GetArtifact(taskEnv EnvReplacer, artifact *structs.TaskArtifact) error
}
Reference in a new issue View git blame Copy permalink