7936c1e33f
This complements the `env` parameter, so that the operator can author tasks that don't share their Vault token with the workload when using `image` filesystem isolation. As a result, more powerful tokens can be used in a job definition, allowing it to use template stanzas to issue all kinds of secrets (database secrets, Vault tokens with very specific policies, etc.), without sharing that issuing power with the task itself. This is accomplished by creating a directory called `private` within the task's working directory, which shares many properties of the `secrets` directory (tmpfs where possible, not accessible by `nomad alloc fs` or Nomad's web UI), but isn't mounted into/bound to the container. If the `disable_file` parameter is set to `false` (its default), the Vault token is also written to the NOMAD_SECRETS_DIR, so the default behavior is backwards compatible. Even if the operator never changes the default, they will still benefit from the improved behavior of Nomad never reading the token back in from that - potentially altered - location.
689 lines
20 KiB
Go
689 lines
20 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package allocdir
|
|
|
|
import (
|
|
"archive/tar"
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
hclog "github.com/hashicorp/go-hclog"
|
|
multierror "github.com/hashicorp/go-multierror"
|
|
cstructs "github.com/hashicorp/nomad/client/structs"
|
|
"github.com/hashicorp/nomad/helper/escapingfs"
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
"github.com/hpcloud/tail/watch"
|
|
tomb "gopkg.in/tomb.v1"
|
|
)
|
|
|
|
const (
|
|
// idUnsupported is what the uid/gid will be set to on platforms (eg
|
|
// Windows) that don't support integer ownership identifiers.
|
|
idUnsupported = -1
|
|
)
|
|
|
|
var (
|
|
// SnapshotErrorTime is the sentinel time that will be used on the
|
|
// error file written by Snapshot when it encounters as error.
|
|
SnapshotErrorTime = time.Date(2000, 0, 0, 0, 0, 0, 0, time.UTC)
|
|
|
|
// The name of the directory that is shared across tasks in a task group.
|
|
SharedAllocName = "alloc"
|
|
|
|
// Name of the directory where logs of Tasks are written
|
|
LogDirName = "logs"
|
|
|
|
// SharedDataDir is one of the shared allocation directories. It is
|
|
// included in snapshots.
|
|
SharedDataDir = "data"
|
|
|
|
// TmpDirName is the name of the temporary directory in each alloc and
|
|
// task.
|
|
TmpDirName = "tmp"
|
|
|
|
// The set of directories that exist inside each shared alloc directory.
|
|
SharedAllocDirs = []string{LogDirName, TmpDirName, SharedDataDir}
|
|
|
|
// The name of the directory that exists inside each task directory
|
|
// regardless of driver.
|
|
TaskLocal = "local"
|
|
|
|
// TaskSecrets is the name of the secret directory inside each task
|
|
// directory
|
|
TaskSecrets = "secrets"
|
|
|
|
// TaskPrivate is the name of the private directory inside each task
|
|
// directory
|
|
TaskPrivate = "private"
|
|
|
|
// TaskDirs is the set of directories created in each tasks directory.
|
|
TaskDirs = map[string]os.FileMode{TmpDirName: os.ModeSticky | 0777}
|
|
|
|
// AllocGRPCSocket is the path relative to the task dir root for the
|
|
// unix socket connected to Consul's gRPC endpoint.
|
|
AllocGRPCSocket = filepath.Join(SharedAllocName, TmpDirName, "consul_grpc.sock")
|
|
|
|
// AllocHTTPSocket is the path relative to the task dir root for the unix
|
|
// socket connected to Consul's HTTP endpoint.
|
|
AllocHTTPSocket = filepath.Join(SharedAllocName, TmpDirName, "consul_http.sock")
|
|
)
|
|
|
|
// AllocDir allows creating, destroying, and accessing an allocation's
|
|
// directory. All methods are safe for concurrent use.
|
|
type AllocDir struct {
|
|
// AllocDir is the directory used for storing any state
|
|
// of this allocation. It will be purged on alloc destroy.
|
|
AllocDir string
|
|
|
|
// The shared directory is available to all tasks within the same task
|
|
// group.
|
|
SharedDir string
|
|
|
|
// TaskDirs is a mapping of task names to their non-shared directory.
|
|
TaskDirs map[string]*TaskDir
|
|
|
|
// clientAllocDir is the client agent's root alloc directory. It must
|
|
// be excluded from chroots and is configured via client.alloc_dir.
|
|
clientAllocDir string
|
|
|
|
// built is true if Build has successfully run
|
|
built bool
|
|
|
|
mu sync.RWMutex
|
|
|
|
logger hclog.Logger
|
|
}
|
|
|
|
// AllocDirFS exposes file operations on the alloc dir
|
|
type AllocDirFS interface {
|
|
List(path string) ([]*cstructs.AllocFileInfo, error)
|
|
Stat(path string) (*cstructs.AllocFileInfo, error)
|
|
ReadAt(path string, offset int64) (io.ReadCloser, error)
|
|
Snapshot(w io.Writer) error
|
|
BlockUntilExists(ctx context.Context, path string) (chan error, error)
|
|
ChangeEvents(ctx context.Context, path string, curOffset int64) (*watch.FileChanges, error)
|
|
}
|
|
|
|
// NewAllocDir initializes the AllocDir struct with allocDir as base path for
|
|
// the allocation directory.
|
|
func NewAllocDir(logger hclog.Logger, clientAllocDir, allocID string) *AllocDir {
|
|
logger = logger.Named("alloc_dir")
|
|
allocDir := filepath.Join(clientAllocDir, allocID)
|
|
return &AllocDir{
|
|
clientAllocDir: clientAllocDir,
|
|
AllocDir: allocDir,
|
|
SharedDir: filepath.Join(allocDir, SharedAllocName),
|
|
TaskDirs: make(map[string]*TaskDir),
|
|
logger: logger,
|
|
}
|
|
}
|
|
|
|
// NewTaskDir creates a new TaskDir and adds it to the AllocDirs TaskDirs map.
|
|
func (d *AllocDir) NewTaskDir(name string) *TaskDir {
|
|
d.mu.Lock()
|
|
defer d.mu.Unlock()
|
|
|
|
td := newTaskDir(d.logger, d.clientAllocDir, d.AllocDir, name)
|
|
d.TaskDirs[name] = td
|
|
return td
|
|
}
|
|
|
|
// Snapshot creates an archive of the files and directories in the data dir of
|
|
// the allocation and the task local directories
|
|
//
|
|
// Since a valid tar may have been written even when an error occurs, a special
|
|
// file "NOMAD-${ALLOC_ID}-ERROR.log" will be appended to the tar with the
|
|
// error message as the contents.
|
|
func (d *AllocDir) Snapshot(w io.Writer) error {
|
|
d.mu.RLock()
|
|
defer d.mu.RUnlock()
|
|
|
|
allocDataDir := filepath.Join(d.SharedDir, SharedDataDir)
|
|
rootPaths := []string{allocDataDir}
|
|
for _, taskdir := range d.TaskDirs {
|
|
rootPaths = append(rootPaths, taskdir.LocalDir)
|
|
}
|
|
|
|
tw := tar.NewWriter(w)
|
|
defer tw.Close()
|
|
|
|
walkFn := func(path string, fileInfo os.FileInfo, err error) error {
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Include the path of the file name relative to the alloc dir
|
|
// so that we can put the files in the right directories
|
|
relPath, err := filepath.Rel(d.AllocDir, path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
link := ""
|
|
if fileInfo.Mode()&os.ModeSymlink != 0 {
|
|
target, err := os.Readlink(path)
|
|
if err != nil {
|
|
return fmt.Errorf("error reading symlink: %v", err)
|
|
}
|
|
link = target
|
|
}
|
|
hdr, err := tar.FileInfoHeader(fileInfo, link)
|
|
if err != nil {
|
|
return fmt.Errorf("error creating file header: %v", err)
|
|
}
|
|
hdr.Name = relPath
|
|
if err := tw.WriteHeader(hdr); err != nil {
|
|
return err
|
|
}
|
|
|
|
// If it's a directory or symlink we just write the header into the tar
|
|
if fileInfo.IsDir() || (fileInfo.Mode()&os.ModeSymlink != 0) {
|
|
return nil
|
|
}
|
|
|
|
// Write the file into the archive
|
|
file, err := os.Open(path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer file.Close()
|
|
|
|
if _, err := io.Copy(tw, file); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Walk through all the top level directories and add the files and
|
|
// directories in the archive
|
|
for _, path := range rootPaths {
|
|
if err := filepath.Walk(path, walkFn); err != nil {
|
|
allocID := filepath.Base(d.AllocDir)
|
|
if writeErr := writeError(tw, allocID, err); writeErr != nil {
|
|
// This could be bad; other side won't know
|
|
// snapshotting failed. It could also just mean
|
|
// the snapshotting side closed the connect
|
|
// prematurely and won't try to use the tar
|
|
// anyway.
|
|
d.logger.Warn("snapshotting failed and unable to write error marker", "error", writeErr)
|
|
}
|
|
return fmt.Errorf("failed to snapshot %s: %v", path, err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Move other alloc directory's shared path and local dir to this alloc dir.
|
|
func (d *AllocDir) Move(other *AllocDir, tasks []*structs.Task) error {
|
|
d.mu.RLock()
|
|
if !d.built {
|
|
// Enforce the invariant that Build is called before Move
|
|
d.mu.RUnlock()
|
|
return fmt.Errorf("unable to move to %q - alloc dir is not built", d.AllocDir)
|
|
}
|
|
|
|
// Moving is slow and only reads immutable fields, so unlock during heavy IO
|
|
d.mu.RUnlock()
|
|
|
|
// Move the data directory
|
|
otherDataDir := filepath.Join(other.SharedDir, SharedDataDir)
|
|
dataDir := filepath.Join(d.SharedDir, SharedDataDir)
|
|
if fileInfo, err := os.Stat(otherDataDir); fileInfo != nil && err == nil {
|
|
os.Remove(dataDir) // remove an empty data dir if it exists
|
|
if err := os.Rename(otherDataDir, dataDir); err != nil {
|
|
return fmt.Errorf("error moving data dir: %v", err)
|
|
}
|
|
}
|
|
|
|
// Move the task directories
|
|
for _, task := range tasks {
|
|
otherTaskDir := filepath.Join(other.AllocDir, task.Name)
|
|
otherTaskLocal := filepath.Join(otherTaskDir, TaskLocal)
|
|
|
|
fileInfo, err := os.Stat(otherTaskLocal)
|
|
if fileInfo != nil && err == nil {
|
|
// TaskDirs haven't been built yet, so create it
|
|
newTaskDir := filepath.Join(d.AllocDir, task.Name)
|
|
if err := os.MkdirAll(newTaskDir, 0777); err != nil {
|
|
return fmt.Errorf("error creating task %q dir: %v", task.Name, err)
|
|
}
|
|
localDir := filepath.Join(newTaskDir, TaskLocal)
|
|
os.Remove(localDir) // remove an empty local dir if it exists
|
|
if err := os.Rename(otherTaskLocal, localDir); err != nil {
|
|
return fmt.Errorf("error moving task %q local dir: %v", task.Name, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Destroy tears down previously build directory structure.
|
|
func (d *AllocDir) Destroy() error {
|
|
// Unmount all mounted shared alloc dirs.
|
|
var mErr multierror.Error
|
|
if err := d.UnmountAll(); err != nil {
|
|
mErr.Errors = append(mErr.Errors, err)
|
|
}
|
|
|
|
if err := os.RemoveAll(d.AllocDir); err != nil {
|
|
mErr.Errors = append(mErr.Errors, fmt.Errorf("failed to remove alloc dir %q: %v", d.AllocDir, err))
|
|
}
|
|
|
|
// Unset built since the alloc dir has been destroyed.
|
|
d.mu.Lock()
|
|
d.built = false
|
|
d.mu.Unlock()
|
|
return mErr.ErrorOrNil()
|
|
}
|
|
|
|
// UnmountAll linked/mounted directories in task dirs.
|
|
func (d *AllocDir) UnmountAll() error {
|
|
d.mu.RLock()
|
|
defer d.mu.RUnlock()
|
|
|
|
var mErr multierror.Error
|
|
for _, dir := range d.TaskDirs {
|
|
// Check if the directory has the shared alloc mounted.
|
|
if pathExists(dir.SharedTaskDir) {
|
|
if err := unlinkDir(dir.SharedTaskDir); err != nil {
|
|
mErr.Errors = append(mErr.Errors,
|
|
fmt.Errorf("failed to unmount shared alloc dir %q: %v", dir.SharedTaskDir, err))
|
|
} else if err := os.RemoveAll(dir.SharedTaskDir); err != nil {
|
|
mErr.Errors = append(mErr.Errors,
|
|
fmt.Errorf("failed to delete shared alloc dir %q: %v", dir.SharedTaskDir, err))
|
|
}
|
|
}
|
|
|
|
if pathExists(dir.SecretsDir) {
|
|
if err := removeSecretDir(dir.SecretsDir); err != nil {
|
|
mErr.Errors = append(mErr.Errors,
|
|
fmt.Errorf("failed to remove the secret dir %q: %v", dir.SecretsDir, err))
|
|
}
|
|
}
|
|
|
|
if pathExists(dir.PrivateDir) {
|
|
if err := removeSecretDir(dir.PrivateDir); err != nil {
|
|
mErr.Errors = append(mErr.Errors,
|
|
fmt.Errorf("failed to remove the private dir %q: %v", dir.PrivateDir, err))
|
|
}
|
|
}
|
|
|
|
// Unmount dev/ and proc/ have been mounted.
|
|
if err := dir.unmountSpecialDirs(); err != nil {
|
|
mErr.Errors = append(mErr.Errors, err)
|
|
}
|
|
}
|
|
|
|
return mErr.ErrorOrNil()
|
|
}
|
|
|
|
// Build the directory tree for an allocation.
|
|
func (d *AllocDir) Build() error {
|
|
// Make the alloc directory, owned by the nomad process.
|
|
if err := os.MkdirAll(d.AllocDir, 0755); err != nil {
|
|
return fmt.Errorf("Failed to make the alloc directory %v: %v", d.AllocDir, err)
|
|
}
|
|
|
|
// Make the shared directory and make it available to all user/groups.
|
|
if err := os.MkdirAll(d.SharedDir, 0777); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Make the shared directory have non-root permissions.
|
|
if err := dropDirPermissions(d.SharedDir, os.ModePerm); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Create shared subdirs
|
|
for _, dir := range SharedAllocDirs {
|
|
p := filepath.Join(d.SharedDir, dir)
|
|
if err := os.MkdirAll(p, 0777); err != nil {
|
|
return err
|
|
}
|
|
if err := dropDirPermissions(p, os.ModePerm); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Mark as built
|
|
d.mu.Lock()
|
|
d.built = true
|
|
d.mu.Unlock()
|
|
return nil
|
|
}
|
|
|
|
// List returns the list of files at a path relative to the alloc dir
|
|
func (d *AllocDir) List(path string) ([]*cstructs.AllocFileInfo, error) {
|
|
if escapes, err := escapingfs.PathEscapesAllocDir(d.AllocDir, "", path); err != nil {
|
|
return nil, fmt.Errorf("Failed to check if path escapes alloc directory: %v", err)
|
|
} else if escapes {
|
|
return nil, fmt.Errorf("Path escapes the alloc directory")
|
|
}
|
|
|
|
p := filepath.Join(d.AllocDir, path)
|
|
finfos, err := os.ReadDir(p)
|
|
if err != nil {
|
|
return []*cstructs.AllocFileInfo{}, err
|
|
}
|
|
files := make([]*cstructs.AllocFileInfo, len(finfos))
|
|
for idx, file := range finfos {
|
|
info, err := file.Info()
|
|
if err != nil {
|
|
return []*cstructs.AllocFileInfo{}, err
|
|
}
|
|
files[idx] = &cstructs.AllocFileInfo{
|
|
Name: info.Name(),
|
|
IsDir: info.IsDir(),
|
|
Size: info.Size(),
|
|
FileMode: info.Mode().String(),
|
|
ModTime: info.ModTime(),
|
|
}
|
|
}
|
|
return files, err
|
|
}
|
|
|
|
// Stat returns information about the file at a path relative to the alloc dir
|
|
func (d *AllocDir) Stat(path string) (*cstructs.AllocFileInfo, error) {
|
|
if escapes, err := escapingfs.PathEscapesAllocDir(d.AllocDir, "", path); err != nil {
|
|
return nil, fmt.Errorf("Failed to check if path escapes alloc directory: %v", err)
|
|
} else if escapes {
|
|
return nil, fmt.Errorf("Path escapes the alloc directory")
|
|
}
|
|
|
|
p := filepath.Join(d.AllocDir, path)
|
|
info, err := os.Stat(p)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
contentType := detectContentType(info, p)
|
|
|
|
return &cstructs.AllocFileInfo{
|
|
Size: info.Size(),
|
|
Name: info.Name(),
|
|
IsDir: info.IsDir(),
|
|
FileMode: info.Mode().String(),
|
|
ModTime: info.ModTime(),
|
|
ContentType: contentType,
|
|
}, nil
|
|
}
|
|
|
|
// detectContentType tries to infer the file type by reading the first
|
|
// 512 bytes of the file. Json file extensions are special cased.
|
|
func detectContentType(fileInfo os.FileInfo, path string) string {
|
|
contentType := "application/octet-stream"
|
|
if !fileInfo.IsDir() {
|
|
f, err := os.Open(path)
|
|
// Best effort content type detection
|
|
// We ignore errors because this is optional information
|
|
if err == nil {
|
|
fileBytes := make([]byte, 512)
|
|
n, err := f.Read(fileBytes)
|
|
if err == nil {
|
|
contentType = http.DetectContentType(fileBytes[:n])
|
|
}
|
|
f.Close()
|
|
}
|
|
}
|
|
// Special case json files
|
|
if strings.HasSuffix(path, ".json") {
|
|
contentType = "application/json"
|
|
}
|
|
return contentType
|
|
}
|
|
|
|
// ReadAt returns a reader for a file at the path relative to the alloc dir
|
|
func (d *AllocDir) ReadAt(path string, offset int64) (io.ReadCloser, error) {
|
|
if escapes, err := escapingfs.PathEscapesAllocDir(d.AllocDir, "", path); err != nil {
|
|
return nil, fmt.Errorf("Failed to check if path escapes alloc directory: %v", err)
|
|
} else if escapes {
|
|
return nil, fmt.Errorf("Path escapes the alloc directory")
|
|
}
|
|
|
|
p := filepath.Join(d.AllocDir, path)
|
|
|
|
// Check if it is trying to read into a secret directory
|
|
d.mu.RLock()
|
|
for _, dir := range d.TaskDirs {
|
|
if filepath.HasPrefix(p, dir.SecretsDir) {
|
|
d.mu.RUnlock()
|
|
return nil, fmt.Errorf("Reading secret file prohibited: %s", path)
|
|
}
|
|
if filepath.HasPrefix(p, dir.PrivateDir) {
|
|
d.mu.RUnlock()
|
|
return nil, fmt.Errorf("Reading private file prohibited: %s", path)
|
|
}
|
|
}
|
|
d.mu.RUnlock()
|
|
|
|
f, err := os.Open(p)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if _, err := f.Seek(offset, 0); err != nil {
|
|
return nil, fmt.Errorf("can't seek to offset %q: %v", offset, err)
|
|
}
|
|
return f, nil
|
|
}
|
|
|
|
// BlockUntilExists blocks until the passed file relative the allocation
|
|
// directory exists. The block can be cancelled with the passed context.
|
|
func (d *AllocDir) BlockUntilExists(ctx context.Context, path string) (chan error, error) {
|
|
if escapes, err := escapingfs.PathEscapesAllocDir(d.AllocDir, "", path); err != nil {
|
|
return nil, fmt.Errorf("Failed to check if path escapes alloc directory: %v", err)
|
|
} else if escapes {
|
|
return nil, fmt.Errorf("Path escapes the alloc directory")
|
|
}
|
|
|
|
// Get the path relative to the alloc directory
|
|
p := filepath.Join(d.AllocDir, path)
|
|
watcher := getFileWatcher(p)
|
|
returnCh := make(chan error, 1)
|
|
t := &tomb.Tomb{}
|
|
go func() {
|
|
<-ctx.Done()
|
|
t.Kill(nil)
|
|
}()
|
|
go func() {
|
|
returnCh <- watcher.BlockUntilExists(t)
|
|
close(returnCh)
|
|
}()
|
|
return returnCh, nil
|
|
}
|
|
|
|
// ChangeEvents watches for changes to the passed path relative to the
|
|
// allocation directory. The offset should be the last read offset. The context is
|
|
// used to clean up the watch.
|
|
func (d *AllocDir) ChangeEvents(ctx context.Context, path string, curOffset int64) (*watch.FileChanges, error) {
|
|
if escapes, err := escapingfs.PathEscapesAllocDir(d.AllocDir, "", path); err != nil {
|
|
return nil, fmt.Errorf("Failed to check if path escapes alloc directory: %v", err)
|
|
} else if escapes {
|
|
return nil, fmt.Errorf("Path escapes the alloc directory")
|
|
}
|
|
|
|
t := &tomb.Tomb{}
|
|
go func() {
|
|
<-ctx.Done()
|
|
t.Kill(nil)
|
|
}()
|
|
|
|
// Get the path relative to the alloc directory
|
|
p := filepath.Join(d.AllocDir, path)
|
|
watcher := getFileWatcher(p)
|
|
return watcher.ChangeEvents(t, curOffset)
|
|
}
|
|
|
|
// getFileWatcher returns a FileWatcher for the given path.
|
|
func getFileWatcher(path string) watch.FileWatcher {
|
|
return watch.NewPollingFileWatcher(path)
|
|
}
|
|
|
|
// fileCopy from src to dst setting the permissions and owner (if uid & gid are
|
|
// both greater than 0)
|
|
func fileCopy(src, dst string, uid, gid int, perm os.FileMode) error {
|
|
// Do a simple copy.
|
|
srcFile, err := os.Open(src)
|
|
if err != nil {
|
|
return fmt.Errorf("Couldn't open src file %v: %v", src, err)
|
|
}
|
|
defer srcFile.Close()
|
|
|
|
dstFile, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE, perm)
|
|
if err != nil {
|
|
return fmt.Errorf("Couldn't create destination file %v: %v", dst, err)
|
|
}
|
|
defer dstFile.Close()
|
|
|
|
if _, err := io.Copy(dstFile, srcFile); err != nil {
|
|
return fmt.Errorf("Couldn't copy %q to %q: %v", src, dst, err)
|
|
}
|
|
|
|
if uid != idUnsupported && gid != idUnsupported {
|
|
if err := dstFile.Chown(uid, gid); err != nil {
|
|
return fmt.Errorf("Couldn't copy %q to %q: %v", src, dst, err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// pathExists is a helper function to check if the path exists.
|
|
func pathExists(path string) bool {
|
|
if _, err := os.Stat(path); err != nil {
|
|
if os.IsNotExist(err) {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
// pathEmpty returns true if a path exists, is listable, and is empty. If the
|
|
// path does not exist or is not listable an error is returned.
|
|
func pathEmpty(path string) (bool, error) {
|
|
f, err := os.Open(path)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
defer f.Close()
|
|
entries, err := f.Readdir(1)
|
|
if err != nil && err != io.EOF {
|
|
return false, err
|
|
}
|
|
return len(entries) == 0, nil
|
|
}
|
|
|
|
// createDir creates a directory structure inside the basepath. This functions
|
|
// preserves the permissions of each of the subdirectories in the relative path
|
|
// by looking up the permissions in the host.
|
|
func createDir(basePath, relPath string) error {
|
|
filePerms, err := splitPath(relPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// We are going backwards since we create the root of the directory first
|
|
// and then create the entire nested structure.
|
|
for i := len(filePerms) - 1; i >= 0; i-- {
|
|
fi := filePerms[i]
|
|
destDir := filepath.Join(basePath, fi.Name)
|
|
if err := os.MkdirAll(destDir, fi.Perm); err != nil {
|
|
return err
|
|
}
|
|
|
|
if fi.Uid != idUnsupported && fi.Gid != idUnsupported {
|
|
if err := os.Chown(destDir, fi.Uid, fi.Gid); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// fileInfo holds the path and the permissions of a file
|
|
type fileInfo struct {
|
|
Name string
|
|
Perm os.FileMode
|
|
|
|
// Uid and Gid are unsupported on Windows
|
|
Uid int
|
|
Gid int
|
|
}
|
|
|
|
// splitPath stats each subdirectory of a path. The first element of the array
|
|
// is the file passed to this function, and the last element is the root of the
|
|
// path.
|
|
func splitPath(path string) ([]fileInfo, error) {
|
|
var mode os.FileMode
|
|
fi, err := os.Stat(path)
|
|
|
|
// If the path is not present in the host then we respond with the most
|
|
// flexible permission.
|
|
uid, gid := idUnsupported, idUnsupported
|
|
if err != nil {
|
|
mode = os.ModePerm
|
|
} else {
|
|
uid, gid = getOwner(fi)
|
|
mode = fi.Mode()
|
|
}
|
|
var dirs []fileInfo
|
|
dirs = append(dirs, fileInfo{Name: path, Perm: mode, Uid: uid, Gid: gid})
|
|
currentDir := path
|
|
for {
|
|
dir := filepath.Dir(filepath.Clean(currentDir))
|
|
if dir == currentDir {
|
|
break
|
|
}
|
|
|
|
// We try to find the permission of the file in the host. If the path is not
|
|
// present in the host then we respond with the most flexible permission.
|
|
uid, gid := idUnsupported, idUnsupported
|
|
fi, err := os.Stat(dir)
|
|
if err != nil {
|
|
mode = os.ModePerm
|
|
} else {
|
|
uid, gid = getOwner(fi)
|
|
mode = fi.Mode()
|
|
}
|
|
dirs = append(dirs, fileInfo{Name: dir, Perm: mode, Uid: uid, Gid: gid})
|
|
currentDir = dir
|
|
}
|
|
return dirs, nil
|
|
}
|
|
|
|
// SnapshotErrorFilename returns the filename which will exist if there was an
|
|
// error snapshotting a tar.
|
|
func SnapshotErrorFilename(allocID string) string {
|
|
return fmt.Sprintf("NOMAD-%s-ERROR.log", allocID)
|
|
}
|
|
|
|
// writeError writes a special file to a tar archive with the error encountered
|
|
// during snapshotting. See Snapshot().
|
|
func writeError(tw *tar.Writer, allocID string, err error) error {
|
|
contents := []byte(fmt.Sprintf("Error snapshotting: %v", err))
|
|
hdr := tar.Header{
|
|
Name: SnapshotErrorFilename(allocID),
|
|
Mode: 0666,
|
|
Size: int64(len(contents)),
|
|
AccessTime: SnapshotErrorTime,
|
|
ChangeTime: SnapshotErrorTime,
|
|
ModTime: SnapshotErrorTime,
|
|
Typeflag: tar.TypeReg,
|
|
}
|
|
|
|
if err := tw.WriteHeader(&hdr); err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = tw.Write(contents)
|
|
return err
|
|
}
|