open-nomad/command
Michael Schurter c82b14b0c4 core: add limits to unauthorized connections
Introduce limits to prevent unauthorized users from exhausting all
ephemeral ports on agents:

 * `{https,rpc}_handshake_timeout`
 * `{http,rpc}_max_conns_per_client`

The handshake timeout closes connections that have not completed the TLS
handshake by the deadline (5s by default). For RPC connections this
timeout also separately applies to first byte being read so RPC
connections with TLS enabled have `rpc_handshake_time * 2` as their
deadline.

The connection limit per client prevents a single remote TCP peer from
exhausting all ephemeral ports. The default is 100, but can be lowered
to a minimum of 26. Since streaming RPC connections create a new TCP
connection (until MultiplexV2 is used), 20 connections are reserved for
Raft and non-streaming RPCs to prevent connection exhaustion due to
streaming RPCs.

All limits are configurable and may be disabled by setting them to `0`.

This also includes a fix that closes connections that attempt to create
TLS RPC connections recursively. While only users with valid mTLS
certificates could perform such an operation, it was added as a
safeguard to prevent programming errors before they could cause resource
exhaustion.
2020-01-30 10:38:25 -08:00
..
agent core: add limits to unauthorized connections 2020-01-30 10:38:25 -08:00
assets hclfmt nomad jobspecs (#6724) 2019-11-19 10:36:41 -05:00
test-resources Refactor spawn-daemon so it can be used by all OSes and make it write exit code to a file 2015-10-28 16:23:33 -07:00
acl.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
acl_bootstrap.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
acl_bootstrap_test.go spelling: bootstrap 2018-03-11 17:43:19 +00:00
acl_policy.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
acl_policy_apply.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
acl_policy_apply_test.go Rename TestAgent.Token to TestAgent.RootToken 2017-10-06 14:35:14 -07:00
acl_policy_delete.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
acl_policy_delete_test.go Rename TestAgent.Token to TestAgent.RootToken 2017-10-06 14:35:14 -07:00
acl_policy_info.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
acl_policy_info_test.go Change test to use valid HCL for rules 2019-08-29 16:09:02 -05:00
acl_policy_list.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
acl_policy_list_test.go List does json/template 2017-10-13 16:37:33 -07:00
acl_token.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
acl_token_create.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
acl_token_create_test.go Rename TestAgent.Token to TestAgent.RootToken 2017-10-06 14:35:14 -07:00
acl_token_delete.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
acl_token_delete_test.go Rename TestAgent.Token to TestAgent.RootToken 2017-10-06 14:35:14 -07:00
acl_token_info.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
acl_token_info_test.go Rename TestAgent.Token to TestAgent.RootToken 2017-10-06 14:35:14 -07:00
acl_token_list.go cli: add acl token list command, documentation 2019-04-12 15:48:36 +00:00
acl_token_list_test.go cli: add acl token list command, documentation 2019-04-12 15:48:36 +00:00
acl_token_self.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
acl_token_self_test.go policy list and token self commands 2017-10-13 16:31:46 -07:00
acl_token_update.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
acl_token_update_test.go Rename TestAgent.Token to TestAgent.RootToken 2017-10-06 14:35:14 -07:00
agent_info.go Add autocomplete where missing 2018-05-11 18:05:43 -04:00
agent_info_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
agent_monitor.go Typo fix 2020-01-08 10:44:00 -05:00
agent_monitor_test.go command: error when no node is found for monitor 2019-12-10 13:10:47 +01:00
alloc.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
alloc_exec.go CLI: Remove duplicated error output (#6738) 2019-11-19 16:05:53 -06:00
alloc_exec_test.go Fix typos and comments 2019-05-16 17:06:03 -04:00
alloc_exec_unix.go add CLI commands for nomad exec 2019-05-12 22:04:50 -04:00
alloc_exec_windows.go add CLI commands for nomad exec 2019-05-12 22:04:50 -04:00
alloc_fs.go Infer content type in alloc fs stat endpoint 2019-06-28 20:31:28 -05:00
alloc_fs_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
alloc_logs.go CLI: Remove duplicated error output (#6738) 2019-11-19 16:05:53 -06:00
alloc_logs_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
alloc_restart.go add CLI commands for nomad exec 2019-05-12 22:04:50 -04:00
alloc_restart_test.go allocs: Add nomad alloc restart 2019-04-11 14:25:49 +02:00
alloc_signal.go alloc_signal: Add autcompletion and cmd tests 2019-04-26 12:47:53 +02:00
alloc_signal_test.go alloc_signal: Add autcompletion and cmd tests 2019-04-26 12:47:53 +02:00
alloc_status.go CLI: protect against AllocatedResources being nil 2020-01-08 17:22:05 -05:00
alloc_status_test.go Prevent nomad alloc status output inconsistency 2019-11-01 14:01:32 -04:00
alloc_stop.go allocs: Add nomad alloc stop 2019-04-23 12:50:23 +02:00
alloc_stop_test.go allocs: Add nomad alloc stop 2019-04-23 12:50:23 +02:00
check.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
check_test.go Parallel 2017-07-20 21:24:21 -07:00
commands.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
data_format.go Formatting abilities 2017-07-07 12:07:07 -07:00
data_format_test.go Parallel 2017-07-20 21:24:21 -07:00
deployment.go Fixed typo in deployment help text 2018-05-24 12:44:21 -04:00
deployment_fail.go Fix output of 'nomad deployment fail' with no arg 2018-12-13 13:22:17 -05:00
deployment_fail_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
deployment_list.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
deployment_list_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
deployment_pause.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
deployment_pause_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
deployment_promote.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
deployment_promote_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
deployment_resume.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
deployment_resume_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
deployment_status.go CLI 2018-05-07 14:50:01 -05:00
deployment_status_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
eval.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
eval_status.go add create and modify timestamps to evaluations (#5881) 2019-08-07 09:50:35 -07:00
eval_status_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
helper_devices.go device attributes in nomad node status -verbose 2018-12-10 12:18:24 -05:00
helper_devices_test.go fixup! device attributes in nomad node status -verbose 2018-12-12 09:17:31 -05:00
helpers.go cli: sequence cli.Ui operations 2019-12-16 10:08:17 -05:00
helpers_test.go cli: sequence cli.Ui operations 2019-12-16 10:08:17 -05:00
integration_test.go tests: stop integration tests tasks explicitly 2018-12-04 11:50:59 -05:00
job.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
job_deployments.go fixed incorrect CLI documentation in job deployments 2019-09-20 12:24:53 -05:00
job_deployments_test.go Fix test setup to have correct jobcreateindex for deployments 2019-05-13 18:53:47 -05:00
job_dispatch.go command: fix job dispatch arg check 2018-04-18 21:21:43 -04:00
job_dispatch_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
job_eval.go remove extra return 2018-05-21 18:00:14 -05:00
job_eval_test.go unit test for job eval should detach 2018-05-10 15:30:44 -05:00
job_history.go spelling fix 2018-08-14 14:06:04 -04:00
job_history_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
job_init.bindata_assetfs.go remove network stanza from job init --short example jobspec (#6179) 2019-08-27 07:36:32 -07:00
job_init.go cli: Allow user to specify dest filename for nomad init (#6520) 2019-12-19 14:59:12 -05:00
job_init_test.go cli: Allow user to specify dest filename for nomad init (#6520) 2019-12-19 14:59:12 -05:00
job_inspect.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
job_inspect_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
job_periodic.go gofmt/goimport and test formatting 2019-04-12 20:55:55 +00:00
job_periodic_force.go gofmt/goimport and test formatting 2019-04-12 20:55:55 +00:00
job_periodic_force_test.go gofmt/goimport and test formatting 2019-04-12 20:55:55 +00:00
job_plan.go review feedback 2018-11-08 09:48:43 -06:00
job_plan_test.go Fix vet error 2018-11-08 09:48:43 -06:00
job_promote.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
job_promote_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
job_revert.go "job revert" command: alphabetized flags 2019-04-10 10:34:10 -05:00
job_revert_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
job_run.go Fix command line 2018-04-26 15:46:22 -07:00
job_run_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
job_status.go cli: include namespace in output when querying job stauts. (#6912) 2020-01-08 08:24:03 -05:00
job_status_test.go Remove redundant assertion and replace regex matches with require 2019-04-10 10:34:10 -05:00
job_stop.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
job_stop_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
job_validate.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
job_validate_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
meta.go cli: sequence cli.Ui operations 2019-12-16 10:08:17 -05:00
meta_test.go command: add -tls-server-name flag 2019-09-24 09:20:41 -07:00
monitor.go Prevent nomad alloc status output inconsistency 2019-11-01 14:01:32 -04:00
monitor_test.go spelling: triggered 2018-03-11 19:06:15 +00:00
namespace.go fix 'nomad namespace apply' help 2019-09-09 10:04:41 -07:00
namespace_apply.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
namespace_apply_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
namespace_delete.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
namespace_delete_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
namespace_inspect.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
namespace_inspect_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
namespace_list.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
namespace_list_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
namespace_status.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
namespace_status_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
node.go Fix typo in nomad node help text 2018-06-14 15:48:01 +02:00
node_config.go typo: "atleast" -> "at least" 2019-05-13 10:01:19 -04:00
node_config_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
node_drain.go Fix typo, Ethier -> Either 2020-01-02 14:42:27 -08:00
node_drain_test.go fix broken test expectation from message change (#6635) 2019-11-06 16:33:13 -05:00
node_eligibility.go Fix typo, Ethier -> Either 2020-01-02 14:42:27 -08:00
node_eligibility_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
node_status.go cli: show full id for single node or alloc status 2019-10-04 16:36:18 -04:00
node_status_test.go cli: show full id for single node or alloc status 2019-10-04 16:36:18 -04:00
operator.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_autopilot.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_autopilot_get.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_autopilot_get_test.go Add autopilot functionality based on Consul's autopilot 2017-12-18 14:29:41 -08:00
operator_autopilot_set.go Fix autopilot set enable custom upgrades flag 2018-09-25 13:49:35 -07:00
operator_autopilot_set_test.go Fix autopilot set enable custom upgrades flag 2018-09-25 13:49:35 -07:00
operator_autopilot_test.go Add autopilot functionality based on Consul's autopilot 2017-12-18 14:29:41 -08:00
operator_keygen.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_keygen_test.go rename files 2018-03-21 20:27:32 -07:00
operator_keyring.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_raft.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_raft_list.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_raft_list_test.go Parallel 2017-07-20 21:24:21 -07:00
operator_raft_remove.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
operator_raft_remove_test.go Add raft remove by id endpoint/command 2018-01-16 13:35:32 -08:00
operator_raft_test.go Parallel 2017-07-20 21:24:21 -07:00
operator_test.go Parallel 2017-07-20 21:24:21 -07:00
quota.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
quota_apply.go quota: parse network stanza in quotas (#6511) 2019-10-24 10:41:54 -04:00
quota_apply_test.go test: quota: relax multierror message matching to Contains 2019-12-17 13:20:14 -05:00
quota_delete.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
quota_delete_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
quota_init.go command: quota init writes files with a network limit 2019-11-20 17:59:55 -06:00
quota_init_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
quota_inspect.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
quota_inspect_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
quota_list.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
quota_list_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
quota_status.go command: quota status reports network usage 2019-11-20 17:59:34 -06:00
quota_status_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
sentinel.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
sentinel_apply.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
sentinel_apply_test.go sync 2017-09-19 10:08:23 -05:00
sentinel_delete.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
sentinel_delete_test.go sync 2017-09-19 10:08:23 -05:00
sentinel_list.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
sentinel_list_test.go sync 2017-09-19 10:08:23 -05:00
sentinel_read.go command: use ':' instead of ',' in error msg 2018-04-18 13:55:51 -04:00
sentinel_read_test.go sync 2017-09-19 10:08:23 -05:00
server.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
server_force_leave.go Add autocomplete where missing 2018-05-11 18:05:43 -04:00
server_force_leave_test.go Parallel 2017-07-20 21:24:21 -07:00
server_join.go Add autocomplete where missing 2018-05-11 18:05:43 -04:00
server_join_test.go Parallel 2017-07-20 21:24:21 -07:00
server_members.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
server_members_test.go command: update tests to check for new error message 2018-04-18 13:51:17 -04:00
status.go status: Allow passing -verbose to meta status 2019-04-11 13:15:44 +02:00
status_test.go Status honors exact match and displays matches when more than one is available 2017-08-29 08:42:09 -07:00
system.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
system_gc.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
system_gc_test.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
system_reconcile.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
system_reconcile_summaries.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
system_reconcile_summaries_test.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
system_reconcile_test.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
system_test.go cli: add system command and subcmds to interact with system API. 2020-01-13 11:34:46 +01:00
ui.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
util_test.go backfill region from job hcl in jobUpdate and jobPlan endpoints 2019-06-13 08:03:16 -07:00
version.go command: improve help text when invalid arguments are given 2018-04-18 12:02:11 -04:00
version_test.go Parallel 2017-07-20 21:24:21 -07:00