Skip to content

Commit

Permalink
drivers/raw_exec: restore ability to run tasks without nomad running …
Browse files Browse the repository at this point in the history
…as root (#18206)

Although nomad officially does not support running the client as a non-root
user, doing so has been more or less possible with the raw_exec driver as
long as you don't expect features to work like networking or running tasks
as specific users. In the cgroups refactoring I bulldozed right over the
special casing we had in place for raw_exec to continue working if the cgroups
were unable to be created. This PR restores that behavior - you can now
(as before) run the nomad client as a non-root user and make use of the
raw_exec task driver.
  • Loading branch information
shoenig authored Aug 15, 2023
1 parent 0e22fc1 commit 6747ef8
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 5 deletions.
6 changes: 4 additions & 2 deletions client/lib/proclib/wrangler.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,10 @@ func (w *Wranglers) Setup(task Task) error {
// create process wrangler for task
pw := w.create(task)

// perform any initialization if necessary
pw.Initialize()
// perform any initialization if necessary (e.g. create cgroup)
// if this doesn't work just keep going; it's up to each task driver
// implementation to decide if this is a failure mode
_ = pw.Initialize()

w.lock.Lock()
defer w.lock.Unlock()
Expand Down
4 changes: 2 additions & 2 deletions drivers/shared/executor/executor.go
Original file line number Diff line number Diff line change
Expand Up @@ -315,8 +315,8 @@ func (e *UniversalExecutor) Launch(command *ExecCommand) (*ProcessState, error)

// setup containment (i.e. cgroups on linux)
if cleanup, err := e.configureResourceContainer(command, os.Getpid()); err != nil {
e.logger.Error("failed to configure resource container", "error", err)
return nil, err
// keep going; some folks run nomad as non-root and expect this driver to still work
e.logger.Warn("failed to configure container, process isolation will not work", "error", err)
} else {
defer cleanup()
}
Expand Down
3 changes: 2 additions & 1 deletion e2e/vaultcompat/vaultcompat_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/hashicorp/go-set"
"github.com/hashicorp/go-version"
nomadapi "github.com/hashicorp/nomad/api"
"github.com/hashicorp/nomad/helper/testlog"
"github.com/hashicorp/nomad/testutil"
vaultapi "github.com/hashicorp/vault/api"
"github.com/shoenig/test/must"
Expand Down Expand Up @@ -135,7 +136,7 @@ func startNomad(t *testing.T, vc *vaultapi.Client) (func(), *nomadapi.Client) {
c.Client = &testutil.ClientConfig{
Enabled: true,
}
c.LogLevel = "off"
c.LogLevel = testlog.HCLoggerTestLevel().String()
})
nc, err := nomadapi.NewClient(&nomadapi.Config{
Address: "http://" + ts.HTTPAddr,
Expand Down

0 comments on commit 6747ef8

Please sign in to comment.