open-nomad/command/agent/host/host.go
Michael Schurter 4ad0c258b9 client: add NOMAD_LICENSE to default env deny list
By default we should not expose the NOMAD_LICENSE environment variable
to tasks.

Also refactor where the DefaultEnvDenyList lives so we don't have to
maintain 2 copies of it. Since client/config is the most obvious
location, keep a reference there to its unfortunate home buried deep
in command/agent/host. Since the agent uses this list as well for the
/agent/host endpoint the list must be accessible from both command/agent
and client.
2021-09-21 13:51:17 -07:00

129 lines
2.5 KiB
Go

package host
import (
"io/ioutil"
"os"
"strings"
)
type HostData struct {
OS string
Network []map[string]string
ResolvConf string
Hosts string
Environment map[string]string
Disk map[string]DiskUsage
}
type DiskUsage struct {
DiskMB int64
UsedMB int64
}
func MakeHostData() (*HostData, error) {
du := make(map[string]DiskUsage)
for _, path := range mountedPaths() {
u, err := diskUsage(path)
if err != nil {
continue
}
du[path] = u
}
return &HostData{
OS: uname(),
Network: network(),
ResolvConf: resolvConf(),
Hosts: etcHosts(),
Environment: environment(),
Disk: du,
}, nil
}
// diskUsage calculates the DiskUsage
func diskUsage(path string) (du DiskUsage, err error) {
s, err := makeDf(path)
if err != nil {
return du, err
}
disk := float64(s.total())
// Bavail is blocks available to unprivileged users, Bfree includes reserved blocks
free := float64(s.available())
used := disk - free
mb := float64(1048576)
disk = disk / mb
used = used / mb
du.DiskMB = int64(disk)
du.UsedMB = int64(used)
return du, nil
}
var (
envRedactSet = makeEnvRedactSet()
)
// environment returns the process environment in a map
func environment() map[string]string {
env := make(map[string]string)
for _, e := range os.Environ() {
s := strings.SplitN(e, "=", 2)
k := s[0]
up := strings.ToUpper(k)
v := s[1]
_, redact := envRedactSet[k]
if redact ||
strings.Contains(up, "TOKEN") ||
strings.Contains(up, "SECRET") {
v = "<redacted>"
}
env[k] = v
}
return env
}
// DefaultEnvDenyList is the default set of environment variables that are
// filtered when passing the environment variables of the host to the task.
//
// Update https://www.nomadproject.io/docs/configuration/client#env-denylist
// whenever this is changed.
var DefaultEnvDenyList = []string{
"CONSUL_TOKEN",
"CONSUL_HTTP_TOKEN",
"VAULT_TOKEN",
"NOMAD_LICENSE",
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
"GOOGLE_APPLICATION_CREDENTIALS",
}
// makeEnvRedactSet creates a set of well known environment variables that should be
// redacted in the output
func makeEnvRedactSet() map[string]struct{} {
set := make(map[string]struct{})
for _, e := range DefaultEnvDenyList {
set[e] = struct{}{}
}
return set
}
// slurp returns the file contents as a string, returning an error string
func slurp(path string) string {
fh, err := os.Open(path)
if err != nil {
return err.Error()
}
bs, err := ioutil.ReadAll(fh)
if err != nil {
return err.Error()
}
return string(bs)
}