From 03d6a8c70a855773e013ca2d883a8d062d47b295 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Tue, 7 Mar 2023 11:57:15 -0500 Subject: [PATCH] docs: note that secrets dir is usually mounted `noexec` (#16363) --- website/content/docs/concepts/filesystem.mdx | 3 ++- website/content/docs/job-specification/template.mdx | 4 +++- website/content/docs/runtime/environment.mdx | 8 ++++---- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/website/content/docs/concepts/filesystem.mdx b/website/content/docs/concepts/filesystem.mdx index 72833fd80..c0514750e 100644 --- a/website/content/docs/concepts/filesystem.mdx +++ b/website/content/docs/concepts/filesystem.mdx @@ -71,7 +71,8 @@ allocation directory like the one below. - **«taskname»/secrets/**: This directory is the location provided to the task as `NOMAD_SECRETS_DIR`. The contents of files in this directory cannot be read by the `nomad alloc fs` command. It can be used to store secret data that - should not be visible outside the task. + should not be visible outside the task. Where possible it is backed by an + in-memory filesystem and mounted `noexec`. - **«taskname»/tmp/**: A temporary directory used as scratch space by task drivers. diff --git a/website/content/docs/job-specification/template.mdx b/website/content/docs/job-specification/template.mdx index e3ac87f34..0343979f0 100644 --- a/website/content/docs/job-specification/template.mdx +++ b/website/content/docs/job-specification/template.mdx @@ -73,7 +73,9 @@ refer to the [Learn Go Template Syntax][gt_learn] guide. that build a chroot in the task working directory (ex. `exec`) can render templates outside of the `NOMAD_ALLOC_DIR`, `NOMAD_TASK_DIR`, or `NOMAD_SECRETS_DIR`. For more details on how `destination` interacts with - task drivers, see the [Filesystem internals] documentation. + task drivers, see the [Filesystem internals][] documentation. Note that where + possible, the `NOMAD_SECRETS_DIR` is mounted `noexec`, so rendered templates + can't be used as self-executing scripts. - `env` `(bool: false)` - Specifies the template should be read back in as environment variables for the task ([example](#environment-variables)). To diff --git a/website/content/docs/runtime/environment.mdx b/website/content/docs/runtime/environment.mdx index f3d2e4ba2..306aa651c 100644 --- a/website/content/docs/runtime/environment.mdx +++ b/website/content/docs/runtime/environment.mdx @@ -69,9 +69,9 @@ working directory: - `local/`: This directory is private to each task. It can be used to store arbitrary data that should not be shared by tasks in the task group. - `secrets/`: This directory is private to each task, not accessible via the - `nomad alloc fs` command or filesystem APIs and where possible backed by an - in-memory filesystem. It can be used to store secret data that should not be - visible outside the task. + `nomad alloc fs` command or filesystem APIs. Where possible it is backed by an + in-memory filesystem and mounted `noexec`. It can be used to store secret data + that should not be visible outside the task. These directories are persisted until the allocation is removed, which occurs hours after all the tasks in the task group enter terminal states. This gives @@ -85,7 +85,7 @@ chroot. Regardless of how the directories are made available, the path to the directories can be read through the `NOMAD_ALLOC_DIR`, `NOMAD_TASK_DIR`, and `NOMAD_SECRETS_DIR` environment variables. -For more details on the task directories, see the [Filesystem internals]. +For more details on the task directories, see the [Filesystem internals][]. ## Meta