open-nomad/command/agent/consul
Michael Schurter 10c3bad652 client: never embed alloc_dir in chroot
Fixes #2522

Skip embedding client.alloc_dir when building chroot. If a user
configures a Nomad client agent so that the chroot_env will embed the
client.alloc_dir, Nomad will happily infinitely recurse while building
the chroot until something horrible happens. The best case scenario is
the filesystem's path length limit is hit. The worst case scenario is
disk space is exhausted.

A bad agent configuration will look something like this:

```hcl
data_dir = "/tmp/nomad-badagent"

client {
  enabled = true

  chroot_env {
    # Note that the source matches the data_dir
    "/tmp/nomad-badagent" = "/ohno"
    # ...
  }
}
```

Note that `/ohno/client` (the state_dir) will still be created but not
`/ohno/alloc` (the alloc_dir).
While I cannot think of a good reason why someone would want to embed
Nomad's client (and possibly server) directories in chroots, there
should be no cause for harm. chroots are only built when Nomad runs as
root, and Nomad disables running exec jobs as root by default. Therefore
even if client state is copied into chroots, it will be inaccessible to
tasks.

Skipping the `data_dir` and `{client,server}.state_dir` is possible, but
this PR attempts to implement the minimum viable solution to reduce risk
of unintended side effects or bugs.

When running tests as root in a vm without the fix, the following error
occurs:

```
=== RUN   TestAllocDir_SkipAllocDir
    alloc_dir_test.go:520:
                Error Trace:    alloc_dir_test.go:520
                Error:          Received unexpected error:
                                Couldn't create destination file /tmp/TestAllocDir_SkipAllocDir1457747331/001/nomad/test/testtask/nomad/test/testtask/.../nomad/test/testtask/secrets/.nomad-mount: open /tmp/TestAllocDir_SkipAllocDir1457747331/001/nomad/test/.../testtask/secrets/.nomad-mount: file name too long
                Test:           TestAllocDir_SkipAllocDir
--- FAIL: TestAllocDir_SkipAllocDir (22.76s)
```

Also removed unused Copy methods on AllocDir and TaskDir structs.

Thanks to @eveld for not letting me forget about this!
2021-10-18 09:22:01 -07:00
..
acl_testing.go consul: move consul acl tests into ent files 2021-06-09 08:38:42 -05:00
catalog_testing.go consul: probe consul namespace feature before using namespace api 2021-06-07 12:19:25 -05:00
check_watcher.go consul: minor CR cleanup 2021-04-05 10:10:16 -06:00
check_watcher_test.go consul: probe consul namespace feature before using namespace api 2021-06-07 12:19:25 -05:00
config_entries_testing.go consul/connect: add initial support for ingress gateways 2020-08-21 16:21:54 -05:00
connect.go consul/connect: add support for connect mesh gateways 2021-06-04 08:24:49 -05:00
connect_proxies.go consul/connect: dynamically select envoy sidecar at runtime 2020-10-13 09:14:12 -05:00
connect_proxies_test.go gofmt all the files 2021-10-01 10:14:28 -04:00
connect_proxies_testing.go consul/connect: dynamically select envoy sidecar at runtime 2020-10-13 09:14:12 -05:00
connect_test.go consul/connect: add support for connect mesh gateways 2021-06-04 08:24:49 -05:00
group_test.go consul/connect: Avoid assumption of parent service when filtering connect proxies 2021-07-08 09:43:41 -05:00
int_test.go client: never embed alloc_dir in chroot 2021-10-18 09:22:01 -07:00
namespaces_client.go consul: pr cleanup namespace probe function signatures 2021-06-07 15:41:01 -05:00
namespaces_client_test.go consul: probe consul namespace feature before using namespace api 2021-06-07 12:19:25 -05:00
self.go consul: pr cleanup namespace probe function signatures 2021-06-07 15:41:01 -05:00
self_test.go consul: pr cleanup namespace probe function signatures 2021-06-07 15:41:01 -05:00
service_client.go fix panic when Connect mesh gateway doesn't have a proxy block (#11257) 2021-10-04 15:52:07 -04:00
service_client_test.go consul/connect: improve regex from CR suggestions 2021-07-08 13:05:05 -05:00
structs.go consul: plubming for specifying consul namespace in job/group 2021-04-05 10:03:19 -06:00
testing.go client: improve group service stanza interpolation and check_re… (#6586) 2019-11-18 13:04:01 -05:00
unit_test.go consul: probe consul namespace feature before using namespace api 2021-06-07 12:19:25 -05:00
version_checker.go agent + consul 2018-09-13 10:43:40 -07:00
version_checker_test.go Replace Consul TLSSkipVerify handling 2018-03-14 17:43:06 -07:00