nomad
nomad copied to clipboard
hashicorp
no new line at the end of file causes infinite template re-render loop
I'm not sure if this is a bug, or intended behaviour, but since I couldn't find any history of this happening, it might be good to document.
Nomad version
root@hashistack13:~# nomad version Nomad v1.5.5 BuildDate 2023-05-05T12:50:14Z Revision 3d63bc62b35cbe3f79cdd245d50b61f130ee1a79
Operating system and Environment details
root@hashistack13:~# cat /etc/os-release PRETTY_NAME="Ubuntu 22.04.2 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.2 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
Issue
To be honest I'm not sure if this should be addressed as a nomad or consul-template bug, but since we have this behaviour on nomad only, I'll open it here.
When deploying a job with an associated template, not adding a new-line char at the end of the template will cause nomad to a re-render/restart of the task infinitely.
Example with this job: (deployed with terraform)
job "crowdsec" {
datacenters = ["gre1"]
type = "service"
vault {
policies = ["read_kv"]
}
priority = 50
group "crowdsec" {
network {
mode = "bridge"
}
service {
name = "crowdsec-api"
port = 8080
task = "crowdsec-api"
connect {
sidecar_service {}
}
}
service {
name = "crowdsec-bouncer-traefik"
port = 8081
task = "crowdsec-bouncer-traefik"
connect {
sidecar_service {}
}
}
task "crowdsec-api" {
driver = "docker"
config {
image = "crowdsecurity/crowdsec:latest"
mounts = [
{
type = "bind"
source = "local/acquis-traefik.yaml"
target = "/etc/crowdsec/acquis.d/acquis-traefik.yaml"
},
{
type = "bind"
source = "local/config.yaml"
target = "/etc/crowdsec_config/config.yaml"
}
]
}
template {
data = file("./job-files/config-files/crowdsec-api/crowdsec-api.env.tpl")
destination = "secrets/crowdsec-api.env"
env = true
}
template {
data = file("./job-files/config-files/crowdsec-api/config.yaml.tpl")
destination = "local/config.yaml"
}
template {
data = file("./job-files/config-files/crowdsec-api/acquis.d/acquis-traefik.yaml.tpl")
destination = "local/acquis-traefik.yaml"
}
volume_mount {
volume = "crowdsec-api-config"
destination = "/etc/crowdsec"
}
volume_mount {
volume = "crowdsec-api-data"
destination = "/var/lib/crowdsec/data"
}
volume_mount {
volume = "traefik-logs"
destination = "/crowdsec-logs/traefik"
}
resources {
cpu = 400
memory = 400
}
}
task "crowdsec-bouncer-traefik" {
driver = "docker"
config {
image = "fbonalair/traefik-crowdsec-bouncer:latest"
}
template {
data = file("./job-files/config-files/crowdsec-bouncer-traefik/crowdsec-bouncer-traefik.env.tpl")
destination = "secrets/crowdsec-bouncer-traefik.env"
env = true
}
resources {
cpu = 300
memory = 300
}
}
volume "crowdsec-api-config" {
type = "csi"
source = "crowdsec-api-config"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
volume "crowdsec-api-data" {
type = "csi"
source = "crowdsec-api-data"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
volume "traefik-logs" {
type = "csi"
source = "traefik-logs"
read_only = true
attachment_mode = "file-system"
access_mode = "multi-node-single-writer"
}
}
}
and the following template:
---
common:
daemonize: true
log_media: file
log_level: info
log_dir: /var/log/
log_max_size: 20
compress_logs: true
log_max_files: 10
working_dir: .
config_paths:
config_dir: /etc/crowdsec/
data_dir: /var/lib/crowdsec/data/
simulation_path: /etc/crowdsec/simulation.yaml
hub_dir: /etc/crowdsec/hub/
index_path: /etc/crowdsec/hub/.index.json
notification_dir: /etc/crowdsec/notifications/
plugin_dir: /usr/local/lib/crowdsec/plugins/
crowdsec_service:
#console_context_path: /etc/crowdsec/console/context.yaml
acquisition_path: /etc/crowdsec/acquis.yaml
acquisition_dir: /etc/crowdsec/acquis.d
parser_routines: 1
cscli:
output: human
color: auto
db_config:
log_level: info
type: sqlite
db_path: /var/lib/crowdsec/data/crowdsec.db
#max_open_conns: 100
#user:
#password:
#db_name:
#host:
#port:
flush:
max_items: 5000
max_age: 7d
plugin_config:
user: nobody
group: nogroup
api:
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 0.0.0.0:8080
profiles_path: /etc/crowdsec/profiles.yaml
console_path: /etc/crowdsec/console.yaml
online_client:
credentials_path: /etc/crowdsec/online_api_credentials.yaml
trusted_ips: # IP ranges, or IPs which can have admin API access
- 127.0.0.1
- ::1
prometheus:
enabled: true
level: full
listen_addr: 127.0.0.1
listen_port: 6060
Not having a new line at the end of the template file will result in an infinite re-render of the template.
Reproduction steps
Deploy a simple task wit a template not env, without a trailing "\n"
Expected Result
It should not re-render (maybe this is expected behaviour ?)
Actual Result
Keeps re-rendering the template.
Job file (if appropriate)
See above
I'm not sure this should be fixed, but I couldn't find documentation on why it's adding a new line at the end of file (even tho there is no dynamic content to my template
