nomad-pledge-driver
nomad-pledge-driver copied to clipboard
shoenig
Nomad task driver capable of blocking unwanted syscall and filesystem access. Based on the pledge utility for Linux by Justine Tunney
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.18.0. Commits 360f961 unix: add API for fsconfig system call 7ff74af unix: drop go version tags for unsupported versions 6b4eab5 unix: suppress ENOMEM errors from...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Bumps [github.com/shoenig/test](https://github.com/shoenig/test) from 1.7.0 to 1.7.2. Release notes Sourced from github.com/shoenig/test's releases. v1.7.2 What's Changed Changes test: single value variants of MapContainsValue(s) helpers by @alessio-perugini in shoenig/test#151 Full Changelog: https://github.com/shoenig/test/compare/v1.7.1...v1.7.2...
Bumps [github.com/hashicorp/nomad](https://github.com/hashicorp/nomad) from 1.7.2 to 1.7.6. Release notes Sourced from github.com/hashicorp/nomad's releases. v1.7.6 1.7.6 (March 12, 2024) SECURITY: build: Update to go1.22 to address Go standard library vulnerabilities CVE-2024-24783, CVE-2023-45290,...
`"failed to open cgroup for descriptor"` is currently not exposing the underlying error for not being able to read the cgroup
Similar to how the `exec` driver exposes [`pid_mode`](https://developer.hashicorp.com/nomad/docs/drivers/exec#pid_mode) and [`ipc_mode`](https://developer.hashicorp.com/nomad/docs/drivers/exec#ipc_mode) so that folks can disable PID or IPC namespacing, so should the pledge driver.
Currently the `pledge` plugin really only works with `network.mode = "host"`. Ideally we could make it work with `network.mode = "bridge"` as well. It's a bit complicated though due to...
I suspect the e2e flakiness is from not properly waiting for an allocation to become "complete" for batch jobs, or the deployment to be "complete" for service jobs, before reading...
On my CentOS 9 box with `5.14.0-295.el9.x86_64` where `unveil` is not supported, submitting a job with an `unveil` configuration should probably fail somewhere, but it does not.