nomad icon indicating copy to clipboard operation
nomad copied to clipboard
verified publisher icon hashicorp

Backport of Adds ability to restrict uid and gids in exec and raw_exec into release/1.9.x

Open hc-github-team-nomad-core opened this issue 1 year ago • 1 comments

Backport

This PR is auto-generated from #20073 to be assessed for backporting due to the inclusion of the label backport/1.9.x.

:rotating_light:

Warning automatic cherry-pick of commits failed. If the first commit failed, you will see a blank no-op commit below. If at least one commit succeeded, you will see the cherry-picked commits up to, not including, the commit where the merge conflict occurred.

The person who merged in the original PR is: @Juanadelacuesta This person should manually cherry-pick the original PR into a new backport PR, and close this one when the manual backport PR is merged in.

merge conflict error: unable to process merge commit: "c18418fa610ebf347e46bc8cef6933cf60efa986", automatic backport requires rebase workflow

The below text is copied from the body of the original PR.

Adds ability to restrict host uid and gids in exec and raw_exec.

To Test:

Add the following to agent config:

plugin "exec" {
  enabled = true
  config {
    denied_host_uids = "0-65534"
    denied_host_gids = ""
  }
}

plugin "raw_exec" {
  config {
    enabled = true
    denied_host_uids = "1,2-9"
    denied_host_gids = "0-100"
  }
}

Then in raw_exec or exec tasks change the "user" value to become a user in any of these ranges. Note that you should see an error like the following: Screenshot 2024-03-05 at 10 53 06 AM

It should also error on job submit if you give it bad ranges. IE "0,1-foo"

Note: This is only needed on raw_exec, but since it felt like the code was 90% reusable and would be appreciated in exec too, I figured I'd add it (at the risk of a bit of scope creep). It also felt like I'd set us up better to add this to exec_v2 by just adding this in a shared location.

Overview of commits
  • c18418fa610ebf347e46bc8cef6933cf60efa986

hc-github-team-nomad-core avatar Oct 31 '24 14:10 hc-github-team-nomad-core

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

temp seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

hashicorp-cla-app[bot] avatar Oct 31 '24 14:10 hashicorp-cla-app[bot]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Mar 05 '25 02:03 github-actions[bot]