kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

drivers/raw_exec: restore ability to run tasks without nomad running as root (#18206)

Browse Source 
Although nomad officially does not support running the client as a non-root
user, doing so has been more or less possible with the raw_exec driver as
long as you don't expect features to work like networking or running tasks
as specific users. In the cgroups refactoring I bulldozed right over the
special casing we had in place for raw_exec to continue working if the cgroups
were unable to be created. This PR restores that behavior - you can now
(as before) run the nomad client as a non-root user and make use of the
raw_exec task driver.
This commit is contained in:
Seth Hoenig
2023-08-15 11:22:30 -05:00
committed by GitHub
parent 0e22fc1a0b
commit 6747ef8803
3 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
client/lib/proclib/wrangler.go
View File

@@ -43,8 +43,10 @@ func (w *Wranglers) Setup(task Task) error {
// create process wrangler for task
pw := w.create(task)
// perform any initialization if necessary
pw.Initialize()
// perform any initialization if necessary (e.g. create cgroup)
// if this doesn't work just keep going; it's up to each task driver
// implementation to decide if this is a failure mode
_ = pw.Initialize()
w.lock.Lock()
defer w.lock.Unlock()

4
drivers/shared/executor/executor.go
View File

@@ -315,8 +315,8 @@ func (e *UniversalExecutor) Launch(command *ExecCommand) (*ProcessState, error)
// setup containment (i.e. cgroups on linux)
if cleanup, err := e.configureResourceContainer(command, os.Getpid()); err != nil {
e.logger.Error("failed to configure resource container", "error", err)
return nil, err
// keep going; some folks run nomad as non-root and expect this driver to still work
e.logger.Warn("failed to configure container, process isolation will not work", "error", err)
} else {
defer cleanup()
}

3
e2e/vaultcompat/vaultcompat_test.go
View File

@@ -18,6 +18,7 @@ import (
"github.com/hashicorp/go-set"
"github.com/hashicorp/go-version"
nomadapi "github.com/hashicorp/nomad/api"
"github.com/hashicorp/nomad/helper/testlog"
"github.com/hashicorp/nomad/testutil"
vaultapi "github.com/hashicorp/vault/api"
"github.com/shoenig/test/must"
@@ -135,7 +136,7 @@ func startNomad(t *testing.T, vc *vaultapi.Client) (func(), *nomadapi.Client) {
c.Client = &testutil.ClientConfig{
Enabled: true,
}
c.LogLevel = "off"
c.LogLevel = testlog.HCLoggerTestLevel().String()
})
nc, err := nomadapi.NewClient(&nomadapi.Config{
Address: "http://" + ts.HTTPAddr,