open-nomad/website/content/docs
Seth Hoenig ff4503aac6
client: disable running artifact downloader as nobody (#16375)
* client: disable running artifact downloader as nobody

This PR reverts a change from Nomad 1.5 where artifact downloads were
executed as the nobody user on Linux systems. This was done as an attempt
to improve the security model of artifact downloading where third party
tools such as git or mercurial would be run as the root user with all
the security implications thereof.

However, doing so conflicts with Nomad's own advice for securing the
Client data directory - which when setup with the recommended directory
permissions structure prevents artifact downloads from working as intended.

Artifact downloads are at least still now executed as a child process of
the Nomad agent, and on modern Linux systems make use of the kernel Landlock
feature for limiting filesystem access of the child process.

* docs: update upgrade guide for 1.5.1 sandboxing

* docs: add cl

* docs: add title to upgrade guide fix
2023-03-08 15:58:43 -06:00
..
commands build/cli: Add BuildDate (#16216) 2023-02-27 11:27:40 -06:00
concepts docs: note that secrets dir is usually mounted noexec (#16363) 2023-03-07 11:57:15 -05:00
configuration Allow configurable range of Job priorities (#16084) 2023-02-17 09:23:13 -05:00
devices feat(website): extract /plugins /tools docs (#11584) 2021-12-09 14:25:18 -05:00
drivers docs: remove cores/memory beta label, update driver cpu docs (#16175) 2023-02-14 14:43:07 -06:00
enterprise docs: Migrate link formats (#15779) 2023-01-25 09:31:14 -08:00
install docs: add more warnings about running agent as root on Linux (#15926) 2023-01-27 15:22:18 -05:00
integrations docs: how to troubleshoot consul connect envoy (#15908) 2023-02-02 14:20:26 -06:00
job-specification docs: note that secrets dir is usually mounted noexec (#16363) 2023-03-07 11:57:15 -05:00
networking docs: update default Nomad bridge config (#16072) 2023-02-07 09:47:41 -05:00
nomad-vs-kubernetes docs: Migrate link formats (#15779) 2023-01-25 09:31:14 -08:00
operations renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
other-specifications docs: add variable specification docs (#16165) 2023-02-13 14:06:56 -08:00
runtime docs: note that secrets dir is usually mounted noexec (#16363) 2023-03-07 11:57:15 -05:00
upgrade client: disable running artifact downloader as nobody (#16375) 2023-03-08 15:58:43 -06:00
ecosystem.mdx docs: Migrate link formats (#15779) 2023-01-25 09:31:14 -08:00
faq.mdx docs: Migrate link formats (#15779) 2023-01-25 09:31:14 -08:00
index.mdx docs: Migrate link formats (#15779) 2023-01-25 09:31:14 -08:00
partnerships.mdx docs: Migrate link formats (#15779) 2023-01-25 09:31:14 -08:00
schedulers.mdx docs: clarify sysbatch supports count (#16205) 2023-02-17 10:51:38 -08:00
who-uses-nomad.mdx Lob.com uses Nomad too! (#13295) 2022-06-21 09:10:08 -04:00