Merge pull request #9982 from hashicorp/f-nsiso-driver

drivers/exec+java: Add configuration to restore previous PID/IPC namespace behavior

CHANGELOG.md

@@ -6,6 +6,7 @@ FEATURES:
 IMPROVEMENTS:
  * cli: Improved `scaling policy` commands with -verbose, auto-completion, and prefix-matching [[GH-9964](https://github.com/hashicorp/nomad/issues/9964)]
  * consul/connect: Made handling of sidecar task container image URLs consistent with the `docker` task driver. [[GH-9580](https://github.com/hashicorp/nomad/issues/9580)]
+ * drivers/exec+java: Added client plugin configuration to re-enable previous PID/IPC namespace behavior [[GH-9982](https://github.com/hashicorp/nomad/pull/9982)]
 
 BUG FIXES:
  * consul: Fixed a bug where failing tasks with group services would only cause the allocation to restart once instead of respecting the `restart` field. [[GH-9869](https://github.com/hashicorp/nomad/issues/9869)]

command/job_init.bindata_assetfs.go

@@ -87,7 +87,7 @@ func commandAssetsConnectShortNomad() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "command/assets/connect-short.nomad", size: 997, mode: os.FileMode(436), modTime: time.Unix(1610319873, 0)}
+	info := bindataFileInfo{name: "command/assets/connect-short.nomad", size: 997, mode: os.FileMode(436), modTime: time.Unix(1612560436, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -107,7 +107,7 @@ func commandAssetsConnectNomad() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "command/assets/connect.nomad", size: 17842, mode: os.FileMode(436), modTime: time.Unix(1610319873, 0)}
+	info := bindataFileInfo{name: "command/assets/connect.nomad", size: 17842, mode: os.FileMode(436), modTime: time.Unix(1612560436, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -127,7 +127,7 @@ func commandAssetsExampleShortNomad() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "command/assets/example-short.nomad", size: 324, mode: os.FileMode(436), modTime: time.Unix(1610319873, 0)}
+	info := bindataFileInfo{name: "command/assets/example-short.nomad", size: 324, mode: os.FileMode(436), modTime: time.Unix(1612560436, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -147,7 +147,7 @@ func commandAssetsExampleNomad() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "command/assets/example.nomad", size: 16057, mode: os.FileMode(436), modTime: time.Unix(1610319873, 0)}
+	info := bindataFileInfo{name: "command/assets/example.nomad", size: 16057, mode: os.FileMode(436), modTime: time.Unix(1612560436, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

drivers/exec/driver.go

@@ -65,6 +65,14 @@ var (
 			hclspec.NewAttr("no_pivot_root", "bool", false),
 			hclspec.NewLiteral("false"),
 		),
+		"default_pid_mode": hclspec.NewDefault(
+			hclspec.NewAttr("default_pid_mode", "string", false),
+			hclspec.NewLiteral(`"private"`),
+		),
+		"default_ipc_mode": hclspec.NewDefault(
+			hclspec.NewAttr("default_ipc_mode", "string", false),
+			hclspec.NewLiteral(`"private"`),
+		),
 	})
 
 	// taskConfigSpec is the hcl specification for the driver config section of
@@ -122,6 +130,30 @@ type Config struct {
 	// NoPivotRoot disables the use of pivot_root, useful when the root partition
 	// is on ramdisk
 	NoPivotRoot bool `codec:"no_pivot_root"`
+
+	// DefaultModePID is the default PID isolation set for all tasks using
+	// exec-based task drivers.
+	DefaultModePID string `codec:"default_pid_mode"`
+
+	// DefaultModeIPC is the default IPC isolation set for all tasks using
+	// exec-based task drivers.
+	DefaultModeIPC string `codec:"default_ipc_mode"`
+}
+
+func (c *Config) validate() error {
+	switch c.DefaultModePID {
+	case executor.IsolationModePrivate, executor.IsolationModeHost:
+	default:
+		return fmt.Errorf("default_pid_mode must be %q or %q, got %q", executor.IsolationModePrivate, executor.IsolationModeHost, c.DefaultModePID)
+	}
+
+	switch c.DefaultModeIPC {
+	case executor.IsolationModePrivate, executor.IsolationModeHost:
+	default:
+		return fmt.Errorf("default_ipc_mode must be %q or %q, got %q", executor.IsolationModePrivate, executor.IsolationModeHost, c.DefaultModeIPC)
+	}
+
+	return nil
 }
 
 // TaskConfig is the driver configuration of a task within a job
@@ -182,14 +214,18 @@ func (d *Driver) ConfigSchema() (*hclspec.Spec, error) {
 }
 
 func (d *Driver) SetConfig(cfg *base.Config) error {
+	// unpack, validate, and set agent plugin config
 	var config Config
 	if len(cfg.PluginConfig) != 0 {
 		if err := base.MsgPackDecode(cfg.PluginConfig, &config); err != nil {
 			return err
 		}
 	}
-
+	if err := config.validate(); err != nil {
+		return err
+	}
 	d.config = config
+
 	if cfg != nil && cfg.AgentConfig != nil {
 		d.nomadConfig = cfg.AgentConfig.Driver
 	}
@@ -383,6 +419,8 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		Mounts:           cfg.Mounts,
 		Devices:          cfg.Devices,
 		NetworkIsolation: cfg.NetworkIsolation,
+		DefaultModePID:   d.config.DefaultModePID,
+		DefaultModeIPC:   d.config.DefaultModeIPC,
 	}
 
 	ps, err := exec.Launch(execCmd)

drivers/exec/driver_test.go

@@ -3,6 +3,7 @@ package exec
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -16,6 +17,7 @@ import (
 	"time"
 
 	ctestutils "github.com/hashicorp/nomad/client/testutil"
+	"github.com/hashicorp/nomad/drivers/shared/executor"
 	"github.com/hashicorp/nomad/helper/pluginutils/hclutils"
 	"github.com/hashicorp/nomad/helper/testlog"
 	"github.com/hashicorp/nomad/helper/testtask"
@@ -273,7 +275,7 @@ func TestExecDriver_StartWaitRecover(t *testing.T) {
 // task dies, the orphans in the PID namespaces are killed by the kernel
 func TestExecDriver_NoOrphans(t *testing.T) {
 	t.Parallel()
-	require := require.New(t)
+	r := require.New(t)
 	ctestutils.ExecCompatible(t)
 
 	ctx, cancel := context.WithCancel(context.Background())
@@ -283,6 +285,17 @@ func TestExecDriver_NoOrphans(t *testing.T) {
 	harness := dtestutil.NewDriverHarness(t, d)
 	defer harness.Kill()
 
+	config := &Config{
+		NoPivotRoot:    false,
+		DefaultModePID: executor.IsolationModePrivate,
+		DefaultModeIPC: executor.IsolationModePrivate,
+	}
+
+	var data []byte
+	r.NoError(basePlug.MsgPackEncode(&data, config))
+	baseConfig := &basePlug.Config{PluginConfig: data}
+	r.NoError(harness.SetConfig(baseConfig))
+
 	task := &drivers.TaskConfig{
 		ID:   uuid.Generate(),
 		Name: "test",
@@ -295,21 +308,21 @@ func TestExecDriver_NoOrphans(t *testing.T) {
 	taskConfig["command"] = "/bin/sh"
 	// print the child PID in the task PID namespace, then sleep for 5 seconds to give us a chance to examine processes
 	taskConfig["args"] = []string{"-c", fmt.Sprintf(`sleep 3600 & sleep 20`)}
-	require.NoError(task.EncodeConcreteDriverConfig(&taskConfig))
+	r.NoError(task.EncodeConcreteDriverConfig(&taskConfig))
 
 	handle, _, err := harness.StartTask(task)
-	require.NoError(err)
+	r.NoError(err)
 	defer harness.DestroyTask(task.ID, true)
 
 	waitCh, err := harness.WaitTask(context.Background(), handle.Config.ID)
-	require.NoError(err)
+	r.NoError(err)
 
-	require.NoError(harness.WaitUntilStarted(task.ID, 1*time.Second))
+	r.NoError(harness.WaitUntilStarted(task.ID, 1*time.Second))
 
 	var childPids []int
 	taskState := TaskState{}
 	testutil.WaitForResult(func() (bool, error) {
-		require.NoError(handle.GetDriverState(&taskState))
+		r.NoError(handle.GetDriverState(&taskState))
 		if taskState.Pid == 0 {
 			return false, fmt.Errorf("task PID is zero")
 		}
@@ -331,14 +344,14 @@ func TestExecDriver_NoOrphans(t *testing.T) {
 		}
 		return true, nil
 	}, func(err error) {
-		require.NoError(err)
+		r.NoError(err)
 	})
 
 	select {
 	case result := <-waitCh:
-		require.True(result.Successful(), "command failed: %#v", result)
+		r.True(result.Successful(), "command failed: %#v", result)
 	case <-time.After(30 * time.Second):
-		require.Fail("timeout waiting for task to shutdown")
+		r.Fail("timeout waiting for task to shutdown")
 	}
 
 	// isProcessRunning returns an error if process is not running
@@ -357,7 +370,7 @@ func TestExecDriver_NoOrphans(t *testing.T) {
 	}
 
 	// task should be dead
-	require.Error(isProcessRunning(taskState.Pid))
+	r.Error(isProcessRunning(taskState.Pid))
 
 	// all children should eventually be killed by OS
 	testutil.WaitForResult(func() (bool, error) {
@@ -372,7 +385,7 @@ func TestExecDriver_NoOrphans(t *testing.T) {
 		}
 		return true, nil
 	}, func(err error) {
-		require.NoError(err)
+		r.NoError(err)
 	})
 }
 
@@ -711,7 +724,7 @@ config {
 
 func TestExecDriver_NoPivotRoot(t *testing.T) {
 	t.Parallel()
-	require := require.New(t)
+	r := require.New(t)
 	ctestutils.ExecCompatible(t)
 
 	ctx, cancel := context.WithCancel(context.Background())
@@ -720,11 +733,16 @@ func TestExecDriver_NoPivotRoot(t *testing.T) {
 	d := NewExecDriver(ctx, testlog.HCLogger(t))
 	harness := dtestutil.NewDriverHarness(t, d)
 
-	config := &Config{NoPivotRoot: true}
+	config := &Config{
+		NoPivotRoot:    true,
+		DefaultModePID: executor.IsolationModePrivate,
+		DefaultModeIPC: executor.IsolationModePrivate,
+	}
+
 	var data []byte
-	require.NoError(basePlug.MsgPackEncode(&data, config))
+	r.NoError(basePlug.MsgPackEncode(&data, config))
 	bconfig := &basePlug.Config{PluginConfig: data}
-	require.NoError(harness.SetConfig(bconfig))
+	r.NoError(harness.SetConfig(bconfig))
 
 	task := &drivers.TaskConfig{
 		ID:        uuid.Generate(),
@@ -738,9 +756,28 @@ func TestExecDriver_NoPivotRoot(t *testing.T) {
 		Command: "/bin/sleep",
 		Args:    []string{"100"},
 	}
-	require.NoError(task.EncodeConcreteDriverConfig(&tc))
+	r.NoError(task.EncodeConcreteDriverConfig(&tc))
 
 	handle, _, err := harness.StartTask(task)
-	require.NoError(err)
-	require.NotNil(handle)
+	r.NoError(err)
+	r.NotNil(handle)
+}
+
+func TestDriver_Config_validate(t *testing.T) {
+	for _, tc := range []struct {
+		pidMode, ipcMode string
+		exp              error
+	}{
+		{pidMode: "host", ipcMode: "host", exp: nil},
+		{pidMode: "private", ipcMode: "host", exp: nil},
+		{pidMode: "host", ipcMode: "private", exp: nil},
+		{pidMode: "private", ipcMode: "private", exp: nil},
+		{pidMode: "other", ipcMode: "private", exp: errors.New(`default_pid_mode must be "private" or "host", got "other"`)},
+		{pidMode: "private", ipcMode: "other", exp: errors.New(`default_ipc_mode must be "private" or "host", got "other"`)},
+	} {
+		require.Equal(t, tc.exp, (&Config{
+			DefaultModePID: tc.pidMode,
+			DefaultModeIPC: tc.ipcMode,
+		}).validate())
+	}
 }

drivers/java/driver.go

@@ -63,7 +63,16 @@ var (
 	}
 
 	// configSpec is the hcl specification returned by the ConfigSchema RPC
-	configSpec = hclspec.NewObject(map[string]*hclspec.Spec{})
+	configSpec = hclspec.NewObject(map[string]*hclspec.Spec{
+		"default_pid_mode": hclspec.NewDefault(
+			hclspec.NewAttr("default_pid_mode", "string", false),
+			hclspec.NewLiteral(`"private"`),
+		),
+		"default_ipc_mode": hclspec.NewDefault(
+			hclspec.NewAttr("default_ipc_mode", "string", false),
+			hclspec.NewLiteral(`"private"`),
+		),
+	})
 
 	// taskConfigSpec is the hcl specification for the driver config section of
 	// a taskConfig within a job. It is returned in the TaskConfigSchema RPC
@@ -101,6 +110,33 @@ func init() {
 	}
 }
 
+// Config is the driver configuration set by the SetConfig RPC call
+type Config struct {
+	// DefaultModePID is the default PID isolation set for all tasks using
+	// exec-based task drivers.
+	DefaultModePID string `codec:"default_pid_mode"`
+
+	// DefaultModeIPC is the default IPC isolation set for all tasks using
+	// exec-based task drivers.
+	DefaultModeIPC string `codec:"default_ipc_mode"`
+}
+
+func (c *Config) validate() error {
+	switch c.DefaultModePID {
+	case executor.IsolationModePrivate, executor.IsolationModeHost:
+	default:
+		return fmt.Errorf("default_pid_mode must be %q or %q, got %q", executor.IsolationModePrivate, executor.IsolationModeHost, c.DefaultModePID)
+	}
+
+	switch c.DefaultModeIPC {
+	case executor.IsolationModePrivate, executor.IsolationModeHost:
+	default:
+		return fmt.Errorf("default_ipc_mode must be %q or %q, got %q", executor.IsolationModePrivate, executor.IsolationModeHost, c.DefaultModeIPC)
+	}
+
+	return nil
+}
+
 // TaskConfig is the driver configuration of a taskConfig within a job
 type TaskConfig struct {
 	Class     string   `codec:"class"`
@@ -126,6 +162,9 @@ type Driver struct {
 	// event can be broadcast to all callers
 	eventer *eventer.Eventer
 
+	// config is the driver configuration set by the SetConfig RPC
+	config Config
+
 	// tasks is the in memory datastore mapping taskIDs to taskHandle
 	tasks *taskStore
 
@@ -159,6 +198,18 @@ func (d *Driver) ConfigSchema() (*hclspec.Spec, error) {
 }
 
 func (d *Driver) SetConfig(cfg *base.Config) error {
+	// unpack, validate, and set agent plugin config
+	var config Config
+	if len(cfg.PluginConfig) != 0 {
+		if err := base.MsgPackDecode(cfg.PluginConfig, &config); err != nil {
+			return err
+		}
+	}
+	if err := config.validate(); err != nil {
+		return err
+	}
+	d.config = config
+
 	if cfg != nil && cfg.AgentConfig != nil {
 		d.nomadConfig = cfg.AgentConfig.Driver
 	}
@@ -374,6 +425,8 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 		Mounts:           cfg.Mounts,
 		Devices:          cfg.Devices,
 		NetworkIsolation: cfg.NetworkIsolation,
+		DefaultModePID:   d.config.DefaultModePID,
+		DefaultModeIPC:   d.config.DefaultModeIPC,
 	}
 
 	ps, err := exec.Launch(execCmd)

drivers/java/driver_test.go

@@ -1,6 +1,7 @@
 package java
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -413,3 +414,22 @@ func Test_dnsConfig(t *testing.T) {
 	}
 
 }
+
+func TestDriver_Config_validate(t *testing.T) {
+	for _, tc := range []struct {
+		pidMode, ipcMode string
+		exp              error
+	}{
+		{pidMode: "host", ipcMode: "host", exp: nil},
+		{pidMode: "private", ipcMode: "host", exp: nil},
+		{pidMode: "host", ipcMode: "private", exp: nil},
+		{pidMode: "private", ipcMode: "private", exp: nil},
+		{pidMode: "other", ipcMode: "private", exp: errors.New(`default_pid_mode must be "private" or "host", got "other"`)},
+		{pidMode: "private", ipcMode: "other", exp: errors.New(`default_ipc_mode must be "private" or "host", got "other"`)},
+	} {
+		require.Equal(t, tc.exp, (&Config{
+			DefaultModePID: tc.pidMode,
+			DefaultModeIPC: tc.ipcMode,
+		}).validate())
+	}
+}

drivers/shared/executor/client.go

@@ -45,6 +45,8 @@ func (c *grpcExecutorClient) Launch(cmd *ExecCommand) (*ProcessState, error) {
 		Mounts:             drivers.MountsToProto(cmd.Mounts),
 		Devices:            drivers.DevicesToProto(cmd.Devices),
 		NetworkIsolation:   drivers.NetworkIsolationSpecToProto(cmd.NetworkIsolation),
+		DefaultPidMode:     cmd.DefaultModePID,
+		DefaultIpcMode:     cmd.DefaultModeIPC,
 	}
 	resp, err := c.client.Launch(ctx, req)
 	if err != nil {

drivers/shared/executor/executor.go

@@ -34,6 +34,12 @@ const (
 	// ExecutorVersionPre0_9 is the version of executor use prior to the release
 	// of 0.9.x
 	ExecutorVersionPre0_9 = "1.1.0"
+
+	// IsolationModePrivate represents the private isolation mode for a namespace
+	IsolationModePrivate = "private"
+
+	// IsolationModeHost represents the host isolation mode for a namespace
+	IsolationModeHost = "host"
 )
 
 var (
@@ -132,7 +138,14 @@ type ExecCommand struct {
 	// Devices are the the device nodes to be created in isolation environment
 	Devices []*drivers.DeviceConfig
 
+	// NetworkIsolation is the network isolation configuration.
 	NetworkIsolation *drivers.NetworkIsolationSpec
+
+	// DefaultModePID is the default PID isolation mode
+	DefaultModePID string
+
+	// DefaultModeIPC is the default IPC isolation mode
+	DefaultModeIPC string
 }
 
 // SetWriters sets the writer for the process stdout and stderr. This should

drivers/shared/executor/executor_linux.go

@@ -562,6 +562,17 @@ func supportedCaps() []string {
 	return allCaps
 }
 
+func configureNamespaces(pidMode, ipcMode string) lconfigs.Namespaces {
+	namespaces := lconfigs.Namespaces{{Type: lconfigs.NEWNS}}
+	if pidMode == IsolationModePrivate {
+		namespaces = append(namespaces, lconfigs.Namespace{Type: lconfigs.NEWPID})
+	}
+	if ipcMode == IsolationModePrivate {
+		namespaces = append(namespaces, lconfigs.Namespace{Type: lconfigs.NEWIPC})
+	}
+	return namespaces
+}
+
 // configureIsolation prepares the isolation primitives of the container.
 // The process runs in a container configured with the following:
 //
@@ -578,12 +589,8 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error {
 	// disable pivot_root if set in the driver's configuration
 	cfg.NoPivotRoot = command.NoPivotRoot
 
-	// launch with mount namespace
-	cfg.Namespaces = lconfigs.Namespaces{
-		{Type: lconfigs.NEWNS},
-		{Type: lconfigs.NEWPID},
-		{Type: lconfigs.NEWIPC},
-	}
+	// set up default namespaces as configured
+	cfg.Namespaces = configureNamespaces(command.DefaultModePID, command.DefaultModeIPC)
 
 	if command.NetworkIsolation != nil {
 		cfg.Namespaces = append(cfg.Namespaces, lconfigs.Namespace{

drivers/shared/executor/executor_linux_test.go

@@ -87,9 +87,39 @@ func testExecutorCommandWithChroot(t *testing.T) *testExecCmd {
 	return testCmd
 }
 
-func TestExecutor_IsolationAndConstraints(t *testing.T) {
+func TestExecutor_configureNamespaces(t *testing.T) {
+	t.Run("host host", func(t *testing.T) {
+		require.Equal(t, lconfigs.Namespaces{
+			{Type: lconfigs.NEWNS},
+		}, configureNamespaces("host", "host"))
+	})
+
+	t.Run("host private", func(t *testing.T) {
+		require.Equal(t, lconfigs.Namespaces{
+			{Type: lconfigs.NEWNS},
+			{Type: lconfigs.NEWIPC},
+		}, configureNamespaces("host", "private"))
+	})
+
+	t.Run("private host", func(t *testing.T) {
+		require.Equal(t, lconfigs.Namespaces{
+			{Type: lconfigs.NEWNS},
+			{Type: lconfigs.NEWPID},
+		}, configureNamespaces("private", "host"))
+	})
+
+	t.Run("private private", func(t *testing.T) {
+		require.Equal(t, lconfigs.Namespaces{
+			{Type: lconfigs.NEWNS},
+			{Type: lconfigs.NEWPID},
+			{Type: lconfigs.NEWIPC},
+		}, configureNamespaces("private", "private"))
+	})
+}
+
+func TestExecutor_Isolation_PID_and_IPC_hostMode(t *testing.T) {
 	t.Parallel()
-	require := require.New(t)
+	r := require.New(t)
 	testutil.ExecCompatible(t)
 
 	testExecCmd := testExecutorCommandWithChroot(t)
@@ -99,43 +129,85 @@ func TestExecutor_IsolationAndConstraints(t *testing.T) {
 	defer allocDir.Destroy()
 
 	execCmd.ResourceLimits = true
+	execCmd.DefaultModePID = "host" // disable PID namespace
+	execCmd.DefaultModeIPC = "host" // disable IPC namespace
 
 	executor := NewExecutorWithIsolation(testlog.HCLogger(t))
 	defer executor.Shutdown("SIGKILL", 0)
 
 	ps, err := executor.Launch(execCmd)
-	require.NoError(err)
-	require.NotZero(ps.Pid)
+	r.NoError(err)
+	r.NotZero(ps.Pid)
 
 	estate, err := executor.Wait(context.Background())
-	require.NoError(err)
-	require.Zero(estate.ExitCode)
+	r.NoError(err)
+	r.Zero(estate.ExitCode)
 
 	lexec, ok := executor.(*LibcontainerExecutor)
-	require.True(ok)
-
-	// Check if the resource constraints were applied
-	state, err := lexec.container.State()
-	require.NoError(err)
-
-	memLimits := filepath.Join(state.CgroupPaths["memory"], "memory.limit_in_bytes")
-	data, err := ioutil.ReadFile(memLimits)
-	require.NoError(err)
-
-	expectedMemLim := strconv.Itoa(int(execCmd.Resources.NomadResources.Memory.MemoryMB * 1024 * 1024))
-	actualMemLim := strings.TrimSpace(string(data))
-	require.Equal(actualMemLim, expectedMemLim)
+	r.True(ok)
 
 	// Check that namespaces were applied to the container config
 	config := lexec.container.Config()
-	require.NoError(err)
 
-	require.Contains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWNS})
-	require.Contains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWPID})
-	require.Contains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWIPC})
+	r.Contains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWNS})
+	r.NotContains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWPID})
+	r.NotContains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWIPC})
 
 	// Shut down executor
-	require.NoError(executor.Shutdown("", 0))
+	r.NoError(executor.Shutdown("", 0))
+	executor.Wait(context.Background())
+}
+
+func TestExecutor_IsolationAndConstraints(t *testing.T) {
+	t.Parallel()
+	r := require.New(t)
+	testutil.ExecCompatible(t)
+
+	testExecCmd := testExecutorCommandWithChroot(t)
+	execCmd, allocDir := testExecCmd.command, testExecCmd.allocDir
+	execCmd.Cmd = "/bin/ls"
+	execCmd.Args = []string{"-F", "/", "/etc/"}
+	defer allocDir.Destroy()
+
+	execCmd.ResourceLimits = true
+	execCmd.DefaultModePID = "private"
+	execCmd.DefaultModeIPC = "private"
+
+	executor := NewExecutorWithIsolation(testlog.HCLogger(t))
+	defer executor.Shutdown("SIGKILL", 0)
+
+	ps, err := executor.Launch(execCmd)
+	r.NoError(err)
+	r.NotZero(ps.Pid)
+
+	estate, err := executor.Wait(context.Background())
+	r.NoError(err)
+	r.Zero(estate.ExitCode)
+
+	lexec, ok := executor.(*LibcontainerExecutor)
+	r.True(ok)
+
+	// Check if the resource constraints were applied
+	state, err := lexec.container.State()
+	r.NoError(err)
+
+	memLimits := filepath.Join(state.CgroupPaths["memory"], "memory.limit_in_bytes")
+	data, err := ioutil.ReadFile(memLimits)
+	r.NoError(err)
+
+	expectedMemLim := strconv.Itoa(int(execCmd.Resources.NomadResources.Memory.MemoryMB * 1024 * 1024))
+	actualMemLim := strings.TrimSpace(string(data))
+	r.Equal(actualMemLim, expectedMemLim)
+
+	// Check that namespaces were applied to the container config
+	config := lexec.container.Config()
+
+	r.Contains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWNS})
+	r.Contains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWPID})
+	r.Contains(config.Namespaces, lconfigs.Namespace{Type: lconfigs.NEWIPC})
+
+	// Shut down executor
+	r.NoError(executor.Shutdown("", 0))
 	executor.Wait(context.Background())
 
 	// Check if Nomad has actually removed the cgroups

drivers/shared/executor/proto/executor.pb.go

@@ -41,6 +41,8 @@ type LaunchRequest struct {
 	Devices              []*proto1.Device             `protobuf:"bytes,12,rep,name=devices,proto3" json:"devices,omitempty"`
 	NetworkIsolation     *proto1.NetworkIsolationSpec `protobuf:"bytes,13,opt,name=network_isolation,json=networkIsolation,proto3" json:"network_isolation,omitempty"`
 	NoPivotRoot          bool                         `protobuf:"varint,14,opt,name=no_pivot_root,json=noPivotRoot,proto3" json:"no_pivot_root,omitempty"`
+	DefaultPidMode       string                       `protobuf:"bytes,15,opt,name=default_pid_mode,json=defaultPidMode,proto3" json:"default_pid_mode,omitempty"`
+	DefaultIpcMode       string                       `protobuf:"bytes,16,opt,name=default_ipc_mode,json=defaultIpcMode,proto3" json:"default_ipc_mode,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}                     `json:"-"`
 	XXX_unrecognized     []byte                       `json:"-"`
 	XXX_sizecache        int32                        `json:"-"`
@@ -169,6 +171,20 @@ func (m *LaunchRequest) GetNoPivotRoot() bool {
 	return false
 }
 
+func (m *LaunchRequest) GetDefaultPidMode() string {
+	if m != nil {
+		return m.DefaultPidMode
+	}
+	return ""
+}
+
+func (m *LaunchRequest) GetDefaultIpcMode() string {
+	if m != nil {
+		return m.DefaultIpcMode
+	}
+	return ""
+}
+
 type LaunchResponse struct {
 	Process              *ProcessState `protobuf:"bytes,1,opt,name=process,proto3" json:"process,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
@@ -834,68 +850,70 @@ func init() {
 }
 
 var fileDescriptor_66b85426380683f3 = []byte{
-	// 963 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xdd, 0x6f, 0x1b, 0x45,
-	0x10, 0xef, 0xc5, 0xf1, 0xd7, 0xd8, 0x4e, 0xcc, 0x0a, 0x85, 0xab, 0x79, 0xa8, 0xb9, 0x07, 0x6a,
-	0x41, 0x39, 0x47, 0xe9, 0x17, 0x12, 0x12, 0x45, 0x24, 0x05, 0x21, 0x85, 0x28, 0x3a, 0x17, 0x2a,
-	0xf1, 0xc0, 0xb1, 0xbd, 0x5b, 0x7c, 0xab, 0xd8, 0xb7, 0xc7, 0xee, 0x9e, 0x1b, 0x24, 0x24, 0x78,
-	0xe1, 0x3f, 0x00, 0x89, 0x3f, 0x17, 0xed, 0xd7, 0xc5, 0x4e, 0x4b, 0x75, 0x0e, 0xea, 0x93, 0x77,
-	0xe6, 0xe6, 0x37, 0xbf, 0xd9, 0xd9, 0x99, 0x9f, 0xe1, 0x5e, 0xca, 0xe9, 0x8a, 0x70, 0x31, 0x15,
-	0x19, 0xe6, 0x24, 0x9d, 0x92, 0x4b, 0x92, 0x94, 0x92, 0xf1, 0x69, 0xc1, 0x99, 0x64, 0x95, 0x19,
-	0x6a, 0x13, 0x7d, 0x98, 0x61, 0x91, 0xd1, 0x84, 0xf1, 0x22, 0xcc, 0xd9, 0x12, 0xa7, 0x61, 0xb1,
-	0x28, 0xe7, 0x34, 0x17, 0xe1, 0x66, 0xdc, 0xe8, 0xce, 0x9c, 0xb1, 0xf9, 0x82, 0x98, 0x24, 0x2f,
-	0xca, 0x9f, 0xa7, 0x92, 0x2e, 0x89, 0x90, 0x78, 0x59, 0xd8, 0x80, 0xc0, 0x02, 0xa7, 0x8e, 0xde,
-	0xd0, 0x19, 0xcb, 0xc4, 0x04, 0x7f, 0x34, 0x61, 0x70, 0x8a, 0xcb, 0x3c, 0xc9, 0x22, 0xf2, 0x4b,
-	0x49, 0x84, 0x44, 0x43, 0x68, 0x24, 0xcb, 0xd4, 0xf7, 0xc6, 0xde, 0xa4, 0x1b, 0xa9, 0x23, 0x42,
-	0xb0, 0x8b, 0xf9, 0x5c, 0xf8, 0x3b, 0xe3, 0xc6, 0xa4, 0x1b, 0xe9, 0x33, 0x3a, 0x83, 0x2e, 0x27,
-	0x82, 0x95, 0x3c, 0x21, 0xc2, 0x6f, 0x8c, 0xbd, 0x49, 0xef, 0xe8, 0x30, 0xfc, 0xaf, 0xc2, 0x2d,
-	0xbf, 0xa1, 0x0c, 0x23, 0x87, 0x8b, 0xae, 0x52, 0xa0, 0x3b, 0xd0, 0x13, 0x32, 0x65, 0xa5, 0x8c,
-	0x0b, 0x2c, 0x33, 0x7f, 0x57, 0xb3, 0x83, 0x71, 0x9d, 0x63, 0x99, 0xd9, 0x00, 0xc2, 0xb9, 0x09,
-	0x68, 0x56, 0x01, 0x84, 0x73, 0x1d, 0x30, 0x84, 0x06, 0xc9, 0x57, 0x7e, 0x4b, 0x17, 0xa9, 0x8e,
-	0xaa, 0xee, 0x52, 0x10, 0xee, 0xb7, 0x75, 0xac, 0x3e, 0xa3, 0xdb, 0xd0, 0x91, 0x58, 0x5c, 0xc4,
-	0x29, 0xe5, 0x7e, 0x47, 0xfb, 0xdb, 0xca, 0x3e, 0xa1, 0x1c, 0xdd, 0x85, 0x7d, 0x57, 0x4f, 0xbc,
-	0xa0, 0x4b, 0x2a, 0x85, 0xdf, 0x1d, 0x7b, 0x93, 0x4e, 0xb4, 0xe7, 0xdc, 0xa7, 0xda, 0x8b, 0x0e,
-	0xe1, 0xdd, 0x17, 0x58, 0xd0, 0x24, 0x2e, 0x38, 0x4b, 0x88, 0x10, 0x71, 0x32, 0xe7, 0xac, 0x2c,
-	0x7c, 0xd0, 0xd1, 0x48, 0x7f, 0x3b, 0x37, 0x9f, 0x8e, 0xf5, 0x17, 0x74, 0x02, 0xad, 0x25, 0x2b,
-	0x73, 0x29, 0xfc, 0xde, 0xb8, 0x31, 0xe9, 0x1d, 0xdd, 0xab, 0xd9, 0xaa, 0x6f, 0x15, 0x28, 0xb2,
-	0x58, 0xf4, 0x35, 0xb4, 0x53, 0xb2, 0xa2, 0xaa, 0xe3, 0x7d, 0x9d, 0xe6, 0x93, 0x9a, 0x69, 0x4e,
-	0x34, 0x2a, 0x72, 0x68, 0x94, 0xc1, 0x3b, 0x39, 0x91, 0x2f, 0x19, 0xbf, 0x88, 0xa9, 0x60, 0x0b,
-	0x2c, 0x29, 0xcb, 0xfd, 0x81, 0x7e, 0xc4, 0xcf, 0x6a, 0xa6, 0x3c, 0x33, 0xf8, 0x6f, 0x1c, 0x7c,
-	0x56, 0x90, 0x24, 0x1a, 0xe6, 0xd7, 0xbc, 0x28, 0x80, 0x41, 0xce, 0xe2, 0x82, 0xae, 0x98, 0x8c,
-	0x39, 0x63, 0xd2, 0xdf, 0xd3, 0x3d, 0xea, 0xe5, 0xec, 0x5c, 0xf9, 0x22, 0xc6, 0x64, 0xf0, 0x13,
-	0xec, 0xb9, 0x09, 0x14, 0x05, 0xcb, 0x05, 0x41, 0x67, 0xd0, 0xb6, 0xad, 0xd5, 0x63, 0xd8, 0x3b,
-	0x7a, 0x10, 0xd6, 0xdb, 0x89, 0xd0, 0xb6, 0x7d, 0x26, 0xb1, 0x24, 0x91, 0x4b, 0x12, 0x0c, 0xa0,
-	0xf7, 0x1c, 0x53, 0x69, 0x27, 0x3c, 0xf8, 0x11, 0xfa, 0xc6, 0x7c, 0x4b, 0x74, 0xa7, 0xb0, 0x3f,
-	0xcb, 0x4a, 0x99, 0xb2, 0x97, 0xb9, 0x5b, 0xaa, 0x03, 0x68, 0x09, 0x3a, 0xcf, 0xf1, 0xc2, 0xee,
-	0x95, 0xb5, 0xd0, 0x07, 0xd0, 0x9f, 0x73, 0x9c, 0x90, 0xb8, 0x20, 0x9c, 0xb2, 0xd4, 0xdf, 0x19,
-	0x7b, 0x93, 0x46, 0xd4, 0xd3, 0xbe, 0x73, 0xed, 0x0a, 0x10, 0x0c, 0xaf, 0xb2, 0x99, 0x8a, 0x83,
-	0x0c, 0x0e, 0xbe, 0x2b, 0x52, 0x45, 0x5a, 0xed, 0x92, 0x25, 0xda, 0xd8, 0x4b, 0xef, 0x7f, 0xef,
-	0x65, 0x70, 0x1b, 0xde, 0x7b, 0x85, 0xc9, 0x16, 0x31, 0x84, 0xbd, 0xef, 0x09, 0x17, 0x94, 0xb9,
-	0x5b, 0x06, 0x1f, 0xc3, 0x7e, 0xe5, 0xb1, 0xbd, 0xf5, 0xa1, 0xbd, 0x32, 0x2e, 0x7b, 0x73, 0x67,
-	0x06, 0x1f, 0x41, 0x5f, 0xf5, 0xad, 0xaa, 0x7c, 0x04, 0x1d, 0x9a, 0x4b, 0xc2, 0x57, 0xb6, 0x49,
-	0x8d, 0xa8, 0xb2, 0x83, 0xe7, 0x30, 0xb0, 0xb1, 0x36, 0xed, 0x57, 0xd0, 0x14, 0xca, 0xb1, 0xe5,
-	0x15, 0x9f, 0x61, 0x71, 0x61, 0x12, 0x19, 0x78, 0x70, 0x17, 0x06, 0x33, 0xfd, 0x12, 0xaf, 0x7f,
-	0xa8, 0xa6, 0x7b, 0x28, 0x75, 0x59, 0x17, 0x68, 0xaf, 0x7f, 0x01, 0xbd, 0xa7, 0x97, 0x24, 0x71,
-	0xc0, 0x47, 0xd0, 0x49, 0x09, 0x4e, 0x17, 0x34, 0x27, 0xb6, 0xa8, 0x51, 0x68, 0x04, 0x3a, 0x74,
-	0x02, 0x1d, 0x3e, 0x73, 0x02, 0x1d, 0x55, 0xb1, 0x4e, 0x6e, 0x77, 0x5e, 0x95, 0xdb, 0xc6, 0x95,
-	0xdc, 0x06, 0xc7, 0xd0, 0x37, 0x64, 0xf6, 0xfe, 0x07, 0xd0, 0x62, 0xa5, 0x2c, 0x4a, 0xa9, 0xb9,
-	0xfa, 0x91, 0xb5, 0xd0, 0xfb, 0xd0, 0x25, 0x97, 0x54, 0xc6, 0x09, 0x4b, 0x89, 0xce, 0xd9, 0x8c,
-	0x3a, 0xca, 0x71, 0xcc, 0x52, 0x12, 0xfc, 0xe9, 0x41, 0x7f, 0x7d, 0x62, 0x15, 0x77, 0x41, 0x53,
-	0x7b, 0x53, 0x75, 0x7c, 0x23, 0x7e, 0xad, 0x37, 0x8d, 0xf5, 0xde, 0xa0, 0x10, 0x76, 0xd5, 0x5f,
-	0x8f, 0x16, 0xed, 0x37, 0x5f, 0x5b, 0xc7, 0x1d, 0xfd, 0xdd, 0x85, 0xce, 0x53, 0xbb, 0x48, 0xe8,
-	0x57, 0x68, 0x99, 0xed, 0x47, 0x0f, 0xeb, 0x6e, 0xdd, 0xc6, 0xff, 0xd5, 0xe8, 0xd1, 0xb6, 0x30,
-	0xfb, 0x7e, 0xb7, 0x90, 0x80, 0x5d, 0xa5, 0x03, 0xe8, 0x7e, 0xdd, 0x0c, 0x6b, 0x22, 0x32, 0x7a,
-	0xb0, 0x1d, 0xa8, 0x22, 0xfd, 0x1d, 0x3a, 0x6e, 0x9d, 0xd1, 0xe3, 0xba, 0x39, 0xae, 0xc9, 0xc9,
-	0xe8, 0xd3, 0xed, 0x81, 0x55, 0x01, 0x7f, 0x79, 0xb0, 0x7f, 0x6d, 0xa5, 0xd1, 0xe7, 0x75, 0xf3,
-	0xbd, 0x5e, 0x75, 0x46, 0x4f, 0x6e, 0x8c, 0xaf, 0xca, 0xfa, 0x0d, 0xda, 0x56, 0x3b, 0x50, 0xed,
-	0x17, 0xdd, 0x94, 0x9f, 0xd1, 0xe3, 0xad, 0x71, 0x15, 0xfb, 0x25, 0x34, 0xb5, 0x2e, 0xa0, 0xda,
-	0xcf, 0xba, 0xae, 0x5d, 0xa3, 0x87, 0x5b, 0xa2, 0x1c, 0xef, 0xa1, 0xa7, 0xe6, 0xdf, 0x08, 0x4b,
-	0xfd, 0xf9, 0xdf, 0x50, 0xac, 0xfa, 0xf3, 0x7f, 0x4d, 0xbf, 0xf4, 0xfc, 0xab, 0x35, 0xac, 0x3f,
-	0xff, 0x6b, 0x7a, 0x57, 0x7f, 0xfe, 0xd7, 0x75, 0x2b, 0xb8, 0x85, 0xfe, 0xf1, 0x60, 0xa0, 0x5c,
-	0x33, 0xc9, 0x09, 0x5e, 0xd2, 0x7c, 0x8e, 0x9e, 0xd4, 0x14, 0x6f, 0x85, 0x32, 0x02, 0x6e, 0x91,
-	0xae, 0x94, 0x2f, 0x6e, 0x9e, 0xc0, 0x95, 0x35, 0xf1, 0x0e, 0xbd, 0x2f, 0xdb, 0x3f, 0x34, 0x8d,
-	0x66, 0xb5, 0xf4, 0xcf, 0xfd, 0x7f, 0x03, 0x00, 0x00, 0xff, 0xff, 0x7a, 0x58, 0x36, 0xd5, 0xb8,
-	0x0b, 0x00, 0x00,
+	// 1003 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x5b, 0x6f, 0x1b, 0x45,
+	0x14, 0xee, 0xc6, 0xf1, 0xed, 0xd8, 0x8e, 0xcd, 0x08, 0x85, 0xad, 0x79, 0xa8, 0xd9, 0x07, 0x6a,
+	0x41, 0x59, 0x47, 0xe9, 0x0d, 0x09, 0x89, 0x22, 0x92, 0x82, 0x2a, 0xa5, 0x91, 0xb5, 0x2e, 0x54,
+	0xe2, 0x81, 0x65, 0xba, 0x3b, 0xb5, 0x47, 0xb1, 0x77, 0x96, 0x99, 0x59, 0x37, 0x48, 0x48, 0x3c,
+	0xf1, 0x0f, 0x40, 0xe2, 0x87, 0xf1, 0x83, 0xd0, 0xdc, 0x36, 0x76, 0x5a, 0xaa, 0x75, 0x11, 0x4f,
+	0x9e, 0x39, 0xfe, 0xbe, 0x73, 0x99, 0x73, 0xce, 0xb7, 0x70, 0x27, 0xe5, 0x74, 0x4d, 0xb8, 0x98,
+	0x88, 0x05, 0xe6, 0x24, 0x9d, 0x90, 0x4b, 0x92, 0x14, 0x92, 0xf1, 0x49, 0xce, 0x99, 0x64, 0xe5,
+	0x35, 0xd4, 0x57, 0xf4, 0xf1, 0x02, 0x8b, 0x05, 0x4d, 0x18, 0xcf, 0xc3, 0x8c, 0xad, 0x70, 0x1a,
+	0xe6, 0xcb, 0x62, 0x4e, 0x33, 0x11, 0x6e, 0xe3, 0x86, 0xb7, 0xe6, 0x8c, 0xcd, 0x97, 0xc4, 0x38,
+	0x79, 0x51, 0xbc, 0x9c, 0x48, 0xba, 0x22, 0x42, 0xe2, 0x55, 0x6e, 0x01, 0x81, 0x25, 0x4e, 0x5c,
+	0x78, 0x13, 0xce, 0xdc, 0x0c, 0x26, 0xf8, 0xbb, 0x0e, 0xbd, 0x33, 0x5c, 0x64, 0xc9, 0x22, 0x22,
+	0x3f, 0x17, 0x44, 0x48, 0x34, 0x80, 0x5a, 0xb2, 0x4a, 0x7d, 0x6f, 0xe4, 0x8d, 0xdb, 0x91, 0x3a,
+	0x22, 0x04, 0xfb, 0x98, 0xcf, 0x85, 0xbf, 0x37, 0xaa, 0x8d, 0xdb, 0x91, 0x3e, 0xa3, 0x73, 0x68,
+	0x73, 0x22, 0x58, 0xc1, 0x13, 0x22, 0xfc, 0xda, 0xc8, 0x1b, 0x77, 0x8e, 0x8f, 0xc2, 0x7f, 0x4b,
+	0xdc, 0xc6, 0x37, 0x21, 0xc3, 0xc8, 0xf1, 0xa2, 0x2b, 0x17, 0xe8, 0x16, 0x74, 0x84, 0x4c, 0x59,
+	0x21, 0xe3, 0x1c, 0xcb, 0x85, 0xbf, 0xaf, 0xa3, 0x83, 0x31, 0x4d, 0xb1, 0x5c, 0x58, 0x00, 0xe1,
+	0xdc, 0x00, 0xea, 0x25, 0x80, 0x70, 0xae, 0x01, 0x03, 0xa8, 0x91, 0x6c, 0xed, 0x37, 0x74, 0x92,
+	0xea, 0xa8, 0xf2, 0x2e, 0x04, 0xe1, 0x7e, 0x53, 0x63, 0xf5, 0x19, 0xdd, 0x84, 0x96, 0xc4, 0xe2,
+	0x22, 0x4e, 0x29, 0xf7, 0x5b, 0xda, 0xde, 0x54, 0xf7, 0x53, 0xca, 0xd1, 0x6d, 0xe8, 0xbb, 0x7c,
+	0xe2, 0x25, 0x5d, 0x51, 0x29, 0xfc, 0xf6, 0xc8, 0x1b, 0xb7, 0xa2, 0x03, 0x67, 0x3e, 0xd3, 0x56,
+	0x74, 0x04, 0xef, 0xbf, 0xc0, 0x82, 0x26, 0x71, 0xce, 0x59, 0x42, 0x84, 0x88, 0x93, 0x39, 0x67,
+	0x45, 0xee, 0x83, 0x46, 0x23, 0xfd, 0xdf, 0xd4, 0xfc, 0x75, 0xa2, 0xff, 0x41, 0xa7, 0xd0, 0x58,
+	0xb1, 0x22, 0x93, 0xc2, 0xef, 0x8c, 0x6a, 0xe3, 0xce, 0xf1, 0x9d, 0x8a, 0x4f, 0xf5, 0x54, 0x91,
+	0x22, 0xcb, 0x45, 0xdf, 0x42, 0x33, 0x25, 0x6b, 0xaa, 0x5e, 0xbc, 0xab, 0xdd, 0x7c, 0x56, 0xd1,
+	0xcd, 0xa9, 0x66, 0x45, 0x8e, 0x8d, 0x16, 0xf0, 0x5e, 0x46, 0xe4, 0x2b, 0xc6, 0x2f, 0x62, 0x2a,
+	0xd8, 0x12, 0x4b, 0xca, 0x32, 0xbf, 0xa7, 0x9b, 0xf8, 0x45, 0x45, 0x97, 0xe7, 0x86, 0xff, 0xc4,
+	0xd1, 0x67, 0x39, 0x49, 0xa2, 0x41, 0x76, 0xcd, 0x8a, 0x02, 0xe8, 0x65, 0x2c, 0xce, 0xe9, 0x9a,
+	0xc9, 0x98, 0x33, 0x26, 0xfd, 0x03, 0xfd, 0x46, 0x9d, 0x8c, 0x4d, 0x95, 0x2d, 0x62, 0x4c, 0xa2,
+	0x31, 0x0c, 0x52, 0xf2, 0x12, 0x17, 0x4b, 0x19, 0xe7, 0x34, 0x8d, 0x57, 0x2c, 0x25, 0x7e, 0x5f,
+	0xb7, 0xe6, 0xc0, 0xda, 0xa7, 0x34, 0x7d, 0xca, 0x52, 0xb2, 0x89, 0xa4, 0x79, 0x62, 0x90, 0x83,
+	0x2d, 0xe4, 0x93, 0x3c, 0x51, 0xc8, 0xe0, 0x27, 0x38, 0x70, 0x53, 0x2d, 0x72, 0x96, 0x09, 0x82,
+	0xce, 0xa1, 0x69, 0xdb, 0xa5, 0x47, 0xbb, 0x73, 0x7c, 0x2f, 0xac, 0xb6, 0x67, 0xa1, 0x6d, 0xe5,
+	0x4c, 0x62, 0x49, 0x22, 0xe7, 0x24, 0xe8, 0x41, 0xe7, 0x39, 0xa6, 0xd2, 0x6e, 0x4d, 0xf0, 0x23,
+	0x74, 0xcd, 0xf5, 0x7f, 0x0a, 0x77, 0x06, 0xfd, 0xd9, 0xa2, 0x90, 0x29, 0x7b, 0x95, 0xb9, 0x45,
+	0x3d, 0x84, 0x86, 0xa0, 0xf3, 0x0c, 0x2f, 0xed, 0xae, 0xda, 0x1b, 0xfa, 0x08, 0xba, 0x73, 0x8e,
+	0x13, 0x12, 0xe7, 0x84, 0x53, 0x96, 0xfa, 0x7b, 0x23, 0x6f, 0x5c, 0x8b, 0x3a, 0xda, 0x36, 0xd5,
+	0xa6, 0x00, 0xc1, 0xe0, 0xca, 0x9b, 0xc9, 0x38, 0x58, 0xc0, 0xe1, 0x77, 0x79, 0xaa, 0x82, 0x96,
+	0xfb, 0x69, 0x03, 0x6d, 0xed, 0xba, 0xf7, 0x9f, 0x77, 0x3d, 0xb8, 0x09, 0x1f, 0xbc, 0x16, 0xc9,
+	0x26, 0x31, 0x80, 0x83, 0xef, 0x09, 0x17, 0x94, 0xb9, 0x2a, 0x83, 0x4f, 0xa1, 0x5f, 0x5a, 0xec,
+	0xdb, 0xfa, 0xd0, 0x5c, 0x1b, 0x93, 0xad, 0xdc, 0x5d, 0x83, 0x4f, 0xa0, 0xab, 0xde, 0xad, 0xcc,
+	0x7c, 0x08, 0x2d, 0x9a, 0x49, 0xc2, 0xd7, 0xf6, 0x91, 0x6a, 0x51, 0x79, 0x0f, 0x9e, 0x43, 0xcf,
+	0x62, 0xad, 0xdb, 0x6f, 0xa0, 0x2e, 0x94, 0x61, 0xc7, 0x12, 0x9f, 0x61, 0x71, 0x61, 0x1c, 0x19,
+	0x7a, 0x70, 0x1b, 0x7a, 0x33, 0xdd, 0x89, 0x37, 0x37, 0xaa, 0xee, 0x1a, 0xa5, 0x8a, 0x75, 0x40,
+	0x5b, 0xfe, 0x05, 0x74, 0x1e, 0x5f, 0x92, 0xc4, 0x11, 0x1f, 0x40, 0x2b, 0x25, 0x38, 0x5d, 0xd2,
+	0x8c, 0xd8, 0xa4, 0x86, 0xa1, 0x11, 0xfd, 0xd0, 0x89, 0x7e, 0xf8, 0xcc, 0x89, 0x7e, 0x54, 0x62,
+	0x9d, 0x84, 0xef, 0xbd, 0x2e, 0xe1, 0xb5, 0x2b, 0x09, 0x0f, 0x4e, 0xa0, 0x6b, 0x82, 0xd9, 0xfa,
+	0x0f, 0xa1, 0xc1, 0x0a, 0x99, 0x17, 0x52, 0xc7, 0xea, 0x46, 0xf6, 0x86, 0x3e, 0x84, 0x36, 0xb9,
+	0xa4, 0x32, 0x4e, 0xd4, 0xba, 0xed, 0xe9, 0x0a, 0x5a, 0xca, 0x70, 0xa2, 0x16, 0xed, 0x77, 0x0f,
+	0xba, 0x9b, 0x13, 0xab, 0x62, 0xe7, 0x34, 0xb5, 0x95, 0xaa, 0xe3, 0x5b, 0xf9, 0x1b, 0x6f, 0x53,
+	0xdb, 0x7c, 0x1b, 0x14, 0xc2, 0xbe, 0xfa, 0x9c, 0xe9, 0x0f, 0xc1, 0xdb, 0xcb, 0xd6, 0xb8, 0xe3,
+	0x3f, 0xdb, 0xd0, 0x7a, 0x6c, 0x17, 0x09, 0xfd, 0x02, 0x0d, 0xb3, 0xfd, 0xe8, 0x7e, 0xd5, 0xad,
+	0xdb, 0xfa, 0x06, 0x0e, 0x1f, 0xec, 0x4a, 0xb3, 0xfd, 0xbb, 0x81, 0x04, 0xec, 0x2b, 0x1d, 0x40,
+	0x77, 0xab, 0x7a, 0xd8, 0x10, 0x91, 0xe1, 0xbd, 0xdd, 0x48, 0x65, 0xd0, 0xdf, 0xa0, 0xe5, 0xd6,
+	0x19, 0x3d, 0xac, 0xea, 0xe3, 0x9a, 0x9c, 0x0c, 0x3f, 0xdf, 0x9d, 0x58, 0x26, 0xf0, 0x87, 0x07,
+	0xfd, 0x6b, 0x2b, 0x8d, 0xbe, 0xac, 0xea, 0xef, 0xcd, 0xaa, 0x33, 0x7c, 0xf4, 0xce, 0xfc, 0x32,
+	0xad, 0x5f, 0xa1, 0x69, 0xb5, 0x03, 0x55, 0xee, 0xe8, 0xb6, 0xfc, 0x0c, 0x1f, 0xee, 0xcc, 0x2b,
+	0xa3, 0x5f, 0x42, 0x5d, 0xeb, 0x02, 0xaa, 0xdc, 0xd6, 0x4d, 0xed, 0x1a, 0xde, 0xdf, 0x91, 0xe5,
+	0xe2, 0x1e, 0x79, 0x6a, 0xfe, 0x8d, 0xb0, 0x54, 0x9f, 0xff, 0x2d, 0xc5, 0xaa, 0x3e, 0xff, 0xd7,
+	0xf4, 0x4b, 0xcf, 0xbf, 0x5a, 0xc3, 0xea, 0xf3, 0xbf, 0xa1, 0x77, 0xd5, 0xe7, 0x7f, 0x53, 0xb7,
+	0x82, 0x1b, 0xe8, 0x2f, 0x0f, 0x7a, 0xca, 0x34, 0x93, 0x9c, 0xe0, 0x15, 0xcd, 0xe6, 0xe8, 0x51,
+	0x45, 0xf1, 0x56, 0x2c, 0x23, 0xe0, 0x96, 0xe9, 0x52, 0xf9, 0xea, 0xdd, 0x1d, 0xb8, 0xb4, 0xc6,
+	0xde, 0x91, 0xf7, 0x75, 0xf3, 0x87, 0xba, 0xd1, 0xac, 0x86, 0xfe, 0xb9, 0xfb, 0x4f, 0x00, 0x00,
+	0x00, 0xff, 0xff, 0x4a, 0xf7, 0x34, 0xf9, 0x0c, 0x0c, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.

drivers/shared/executor/proto/executor.proto

@@ -42,6 +42,8 @@ message LaunchRequest {
     repeated hashicorp.nomad.plugins.drivers.proto.Device devices = 12;
     hashicorp.nomad.plugins.drivers.proto.NetworkIsolationSpec network_isolation = 13;
     bool no_pivot_root = 14;
+    string default_pid_mode = 15;
+    string default_ipc_mode = 16;
 }
 
 message LaunchResponse {

drivers/shared/executor/server.go

@@ -35,6 +35,8 @@ func (s *grpcExecutorServer) Launch(ctx context.Context, req *proto.LaunchReques
 		Mounts:             drivers.MountsFromProto(req.Mounts),
 		Devices:            drivers.DevicesFromProto(req.Devices),
 		NetworkIsolation:   drivers.NetworkIsolationSpecFromProto(req.NetworkIsolation),
+		DefaultModePID:     req.DefaultPidMode,
+		DefaultModeIPC:     req.DefaultIpcMode,
 	})
 
 	if err != nil {

website/content/docs/drivers/exec.mdx

@@ -107,7 +107,21 @@ This also applies for running Nomad in -dev mode.
 
 ## Plugin Options
 
-- `no_pivot_root` - Defaults to `false`. When `true`, the driver uses `chroot`
+- `default_pid_mode` `(string: optional)` - Defaults to `"private"`. Set to
+ `"private"` to enable PID namespace isolation for tasks by default, or `"host"` to
+ disable isolation.
+
+!> **Warning:** If set to `"host"`, other processes running as the same user will
+ be able to access sensitive process information like environment variables.
+
+- `default_ipc_mode` `(string: optional)` - Defaults to `"private"`. Set to
+`"private"` to enable IPC namespace isolation for tasks by default,
+ or `"host"` to disable isolation.
+
+!> **Warning:** If set to `"host"`, other processes running as the same user will be
+ able to make use of IPC features, like sending unexpected POSIX signals.
+
+- `no_pivot_root` `(bool: optional)` - Defaults to `false`. When `true`, the driver uses `chroot`
   for file system isolation without `pivot_root`. This is useful for systems
   where the root is on a ramdisk.
 

website/content/docs/drivers/java.mdx

@@ -109,6 +109,22 @@ The `java` driver implements the following [capabilities](/docs/internals/plugin
 | network isolation    | host, group                   |
 | volume mounting      | none, all (only for linux)    |
 
+## Plugin Options
+
+- `default_pid_mode` `(string: optional)` - Defaults to `"private"`. Set to
+ `"private"` to enable PID namespace isolation for tasks by default, or `"host"` to
+ disable isolation.
+
+!> **Warning:** If set to `"host"`, other processes running as the same user will
+ be able to access sensitive process information like environment variables.
+
+- `default_ipc_mode` `(string: optional)` - Defaults to `"private"`. Set to
+`"private"` to enable IPC namespace isolation for tasks by default,
+ or `"host"` to disable isolation.
+
+!> **Warning:** If set to `"host"`, other processes running as the same user will be
+ able to make use of IPC features, like sending unexpected POSIX signals.
+
 ## Client Requirements
 
 The `java` driver requires Java to be installed and in your system's `$PATH`. On