nomad
nomad copied to clipboard
hashicorp
Backport of Adds ability to restrict uid and gids in exec and raw_exec into release/1.9.x
Backport
This PR is auto-generated from #20073 to be assessed for backporting due to the inclusion of the label backport/1.9.x.
:rotating_light:
Warning automatic cherry-pick of commits failed. If the first commit failed, you will see a blank no-op commit below. If at least one commit succeeded, you will see the cherry-picked commits up to, not including, the commit where the merge conflict occurred.
The person who merged in the original PR is: @Juanadelacuesta This person should manually cherry-pick the original PR into a new backport PR, and close this one when the manual backport PR is merged in.
merge conflict error: unable to process merge commit: "c18418fa610ebf347e46bc8cef6933cf60efa986", automatic backport requires rebase workflow
The below text is copied from the body of the original PR.
Adds ability to restrict host uid and gids in exec and raw_exec.
To Test:
Add the following to agent config:
plugin "exec" {
enabled = true
config {
denied_host_uids = "0-65534"
denied_host_gids = ""
}
}
plugin "raw_exec" {
config {
enabled = true
denied_host_uids = "1,2-9"
denied_host_gids = "0-100"
}
}
Then in raw_exec or exec tasks change the "user" value to become a user in any of these ranges. Note that you should see an error like the following:
It should also error on job submit if you give it bad ranges. IE "0,1-foo"
Note: This is only needed on raw_exec, but since it felt like the code was 90% reusable and would be appreciated in exec too, I figured I'd add it (at the risk of a bit of scope creep). It also felt like I'd set us up better to add this to exec_v2 by just adding this in a shared location.
Overview of commits
- c18418fa610ebf347e46bc8cef6933cf60efa986
