From 41d6635026b048f68256a4f7c6ee669ef0d616d8 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Thu, 3 Jan 2019 12:36:22 -0500 Subject: [PATCH] drivers/exec: run as `nobody` by default libcontainer based drivers (e.g. exec, java) should default to running processes as `nobody` [1]; but libcontainer treats empty user as `root` in our case (either because of default or due to `root` being current user). [1] https://github.com/hashicorp/nomad/blob/94c28a4c6cc45f1b377d50a6bff2017b46c43d18/website/source/docs/job-specification/task.html.md#task-parameters --- drivers/exec/driver.go | 7 ++++++- drivers/java/driver.go | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/exec/driver.go b/drivers/exec/driver.go index 50ba7d059..4bbd337be 100644 --- a/drivers/exec/driver.go +++ b/drivers/exec/driver.go @@ -297,11 +297,16 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *cstru return nil, nil, fmt.Errorf("failed to create executor: %v", err) } + user := cfg.User + if user == "" { + user = "nobody" + } + execCmd := &executor.ExecCommand{ Cmd: driverConfig.Command, Args: driverConfig.Args, Env: cfg.EnvList(), - User: cfg.User, + User: user, ResourceLimits: true, Resources: cfg.Resources, TaskDir: cfg.TaskDir().Dir, diff --git a/drivers/java/driver.go b/drivers/java/driver.go index b96377da7..1b561697a 100644 --- a/drivers/java/driver.go +++ b/drivers/java/driver.go @@ -328,11 +328,16 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *cstru return nil, nil, fmt.Errorf("failed to create executor: %v", err) } + user := cfg.User + if user == "" { + user = "nobody" + } + execCmd := &executor.ExecCommand{ Cmd: absPath, Args: args, Env: cfg.EnvList(), - User: cfg.User, + User: user, ResourceLimits: true, Resources: cfg.Resources, TaskDir: cfg.TaskDir().Dir,