Adds ability to restrict uid and gids in exec and raw_exec #20073
Conversation
mikenomitch
added
type/enhancement
theme/driver/exec
theme/driver/raw_exec
theme/driver
backport/1.7.x
|
@mikenomitch looks like the linter is unhappy you should be able to run |
There was a problem hiding this comment.
This is looking pretty good @mikenomitch, but I've left some comments we should address.
Also:
- We need a changelog entry
- Note that the
test-e2e-vaulttest failure isn't a flake, but a appears to be bug introduced by this PR:
Error: 2024-03-06T00:13:33.371Z [ERROR] client.alloc_runner.task_runner: running driver failed: alloc_id=ca431f74-e99e-8749-dc0e-62de3f1b96e9 task=cat error="failed driver config validation: failed to identify user "": user: unknown user "
mikenomitch
force-pushed
the
feat/uid-gid-restriction
branch
from
55bcfa0 to
75bbbb9
Compare
drivers/rawexec/driver_unix.go
Outdated
|
|
||
| func (d *Driver) Validate(cfg drivers.TaskConfig) error { | ||
| usernameToLookup := cfg.User | ||
| var user *user.User |
There was a problem hiding this comment.
This variable collides with the imported package of the same name, could we change it?
| ErrInvalidRange = errors.New("lower bound cannot be greater than upper bound") | ||
| ) | ||
|
|
||
| type validator struct { |
There was a problem hiding this comment.
Do we want to export this type considering it is an used by other packages with exported functions?
There was a problem hiding this comment.
If validator.NewValidator returned an interface instead of a concrete type, we wouldn't want to / need to export this type. But I think I've been convinced by @Juanadelacuesta here #20073 (comment) that we can return the unexported concrete type from NewValidator and then the callers can use their own package-local version of the interface to reduce the scope of methods they care about.
(Sort of like what we do in lots of places in the client with the concrete TaskRunner and the many tiny one/two-function interfaces expected by hooks.)
There was a problem hiding this comment.
Added some inline comments.
The semgrep CI check is also failing:
drivers/shared/validators/validators.go
semgrep.mpl_busl
BUSL package `github.com/hashicorp/nomad/client/lib/idset` imported in
MPL package
`validators`
14┆ "github.com/hashicorp/nomad/client/lib/idset"
⋮┆----------------------------------------
semgrep.mpl_busl
BUSL package `github.com/hashicorp/nomad/client/lib/numalib/hw`
imported in MPL package
`validators`
15┆ "github.com/hashicorp/nomad/client/lib/numalib/hw"
drivers/shared/validators/validators_default.go
semgrep.mpl_busl
BUSL package `github.com/hashicorp/nomad/client/lib/numalib/hw`
imported in MPL package
`validators`
11┆ "github.com/hashicorp/nomad/client/lib/numalib/hw"
drivers/shared/validators/validators_unix.go
semgrep.mpl_busl
BUSL package `github.com/hashicorp/nomad/client/lib/numalib/hw`
imported in MPL package
`validators`
13┆ "github.com/hashicorp/nomad/client/lib/numalib/hw"
BLOCKING CODE RULES FIRED:
semgrep.mpl_busl
Co-authored-by: James Rasell <[email protected]>
Co-authored-by: Michael Smithhisler <[email protected]>
Co-authored-by: Michael Smithhisler <[email protected]>
It's detecting the issue described here #19833 because the files were touched. We should fix that, but probably under a separate PR. |
Juanadelacuesta
force-pushed
the
feat/uid-gid-restriction
branch
from
f9fdafd to
80e398b
Compare
Adds ability to restrict host uid and gids in exec and raw_exec.
To Test:
Add the following to agent config:
Then in raw_exec or exec tasks change the "user" value to become a user in any of these ranges. Note that you should see an error like the following:
It should also error on job submit if you give it bad ranges. IE "0,1-foo"
Note: This is only needed on raw_exec, but since it felt like the code was 90% reusable and would be appreciated in exec too, I figured I'd add it (at the risk of a bit of scope creep). It also felt like I'd set us up better to add this to exec_v2 by just adding this in a shared location.