Adds ability to restrict uid and gids in exec and raw_exec #24343

Juanadelacuesta · 2024-10-31T15:09:34Z

Adds ability to restrict host uid and gids in exec and raw_exec.

To Test:

Add the following to agent config:

plugin "exec" {
  enabled = true
  config {
    denied_host_uids = "0-65534"
    denied_host_gids = ""
  }
}

plugin "raw_exec" {
  config {
    enabled = true
    denied_host_uids = "1,2-9"
    denied_host_gids = "0-100"
  }
}

Then in raw_exec or exec tasks change the "user" value to become a user in any of these ranges. Note that you should see an error like the following:

It should also error on job submit if you give it bad ranges. IE "0,1-foo"

Note: This is only needed on raw_exec, but since it felt like the code was 90% reusable and would be appreciated in exec too, I figured I'd add it (at the risk of a bit of scope creep). It also felt like I'd set us up better to add this to exec_v2 by just adding this in a shared location.

steps to update: * edit run.sh IMAGE variable manually * run ./run.sh test

* jobspec: add a chown option to artifact block This PR adds a boolean 'chown' field to the artifact block. It indicates whether the Nomad client should chown the downloaded files and directories to be owned by the task.user. This is useful for drivers like raw_exec and exec2 which are subject to the host filesystem user permissions structure. Before, these drivers might not be able to use or manage the downloaded artifacts since they would be owned by the root user on a typical Nomad client configuration. * api: no need for pointer of chown field

* docs: explain schedule state values GET /v1/client/allocation/:alloc_id/pause?task=:task_name is a tiny but critical API for observability of tasks with a schedule. This PR explains each of the values which might be returned. * correct docstring * add missing state and expand PUT docs --------- Co-authored-by: Aimee Ukasick <[email protected]>

vercel bot deployed to Preview – nomad-ui October 31, 2024 15:09 View deployment

Juanadelacuesta requested a review from jrasell October 31, 2024 15:12

vercel bot deployed to Preview – nomad October 31, 2024 15:15 View deployment

Juanadelacuesta closed this Oct 31, 2024

Juanadelacuesta reopened this Nov 4, 2024

Juanadelacuesta changed the base branch from main to release/1.9.x November 4, 2024 15:41

Juanadelacuesta requested review from a team as code owners November 4, 2024 15:41

gulducat and others added 8 commits November 4, 2024 16:43

e2e: ui: update playwright to 1.48.0 (#24158)

5548d94

steps to update: * edit run.sh IMAGE variable manually * run ./run.sh test

build: update versions file for backports (#24174)

9009f12

Merge release 1.9.0 files

8a5aa11

Merge release 1.9.1 files

967d4b1

fingerprint gce: collect preemptibility

8ea802a

Adds ability to restrict uid and gids in exec and raw_exec

525d5e9

Juanadelacuesta force-pushed the feat/uid-gid-restriction branch from 6a82588 to 525d5e9 Compare November 4, 2024 15:45

vercel bot deployed to Preview – nomad-ui November 4, 2024 15:46 View deployment

vercel bot deployed to Preview – nomad November 4, 2024 15:51 View deployment

mismithhisler approved these changes Nov 4, 2024

View reviewed changes

Juanadelacuesta merged commit 0a3f87f into release/1.9.x Nov 4, 2024
27 of 28 checks passed

Juanadelacuesta deleted the feat/uid-gid-restriction branch November 4, 2024 16:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adds ability to restrict uid and gids in exec and raw_exec #24343

Adds ability to restrict uid and gids in exec and raw_exec #24343

Juanadelacuesta commented Oct 31, 2024 •

edited

Loading

Adds ability to restrict uid and gids in exec and raw_exec #24343

Adds ability to restrict uid and gids in exec and raw_exec #24343

Conversation

Juanadelacuesta commented Oct 31, 2024 • edited Loading

Juanadelacuesta commented Oct 31, 2024 •

edited

Loading