luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/client/allocrunner
History
Seth Hoenig ff4503aac6
client: disable running artifact downloader as nobody (#16375) 
* client: disable running artifact downloader as nobody

This PR reverts a change from Nomad 1.5 where artifact downloads were
executed as the nobody user on Linux systems. This was done as an attempt
to improve the security model of artifact downloading where third party
tools such as git or mercurial would be run as the root user with all
the security implications thereof.

However, doing so conflicts with Nomad's own advice for securing the
Client data directory - which when setup with the recommended directory
permissions structure prevents artifact downloads from working as intended.

Artifact downloads are at least still now executed as a child process of
the Nomad agent, and on modern Linux systems make use of the kernel Landlock
feature for limiting filesystem access of the child process.

* docs: update upgrade guide for 1.5.1 sandboxing

* docs: add cl

* docs: add title to upgrade guide fix
2023-03-08 15:58:43 -06:00
..
interfaces Task API via Unix Domain Socket (#15864) 2023-02-06 11:31:22 -08:00
state
tasklifecycle test: remove flaky Gate test (#14575) 2022-09-19 11:31:03 -04:00
taskrunner client: disable running artifact downloader as nobody (#16375) 2023-03-08 15:58:43 -06:00
alloc_runner.go client: always run alloc cleanup hooks on final update (#15855) 2023-01-27 09:59:31 -06:00
alloc_runner_hooks.go client: always run alloc cleanup hooks on final update (#15855) 2023-01-27 09:59:31 -06:00
alloc_runner_test.go deps: Update ioutil deprecated library references to os and io respectively in the client package (#16318) 2023-03-08 13:25:10 -06:00
alloc_runner_unix_test.go client: always run alloc cleanup hooks on final update (#15855) 2023-01-27 09:59:31 -06:00
allocdir_hook.go
cgroup_hook.go
checks_hook.go client: updates from pr feedback 2022-07-21 09:54:27 -05:00
checks_hook_test.go client: add support for checks in nomad services 2022-07-12 17:09:50 -05:00
config.go client: add support for checks in nomad services 2022-07-12 17:09:50 -05:00
consul_grpc_sock_hook.go renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
consul_grpc_sock_hook_test.go client: accommodate Consul 1.14.0 gRPC and agent self changes. (#15309) 2022-11-21 09:19:09 -06:00
consul_http_sock_hook.go
consul_http_sock_hook_test.go
csi_hook.go
csi_hook_test.go cleanup: replace TypeToPtr helper methods with pointer.Of (#14151) 2022-08-17 18:26:34 +02:00
group_service_hook.go nsd: block on removal of services (#15862) 2023-01-26 08:17:57 -06:00
group_service_hook_test.go cleanup: replace TypeToPtr helper methods with pointer.Of (#14151) 2022-08-17 18:26:34 +02:00
health_hook.go client: add support for checks in nomad services 2022-07-12 17:09:50 -05:00
health_hook_test.go client: add support for checks in nomad services 2022-07-12 17:09:50 -05:00
migrate_hook.go
network_hook.go
network_hook_test.go
network_manager_linux.go client: Add option to enable hairpinMode on Nomad bridge (#15961) 2023-02-02 10:12:15 -05:00
network_manager_linux_test.go
network_manager_nonlinux.go
networking.go
networking_bridge_linux.go docs: update default Nomad bridge config (#16072) 2023-02-07 09:47:41 -05:00
networking_bridge_linux_test.go client: Add option to enable hairpinMode on Nomad bridge (#15961) 2023-02-02 10:12:15 -05:00
networking_cni.go client: manually cleanup leaked iptables rules (#15407) 2022-11-28 11:32:16 -06:00
networking_cni_test.go client: manually cleanup leaked iptables rules (#15407) 2022-11-28 11:32:16 -06:00
testing.go client: sandbox go-getter subprocess with landlock (#15328) 2022-12-07 16:02:25 -06:00
upstream_allocs_hook.go