Merge branch 'master' of github.com:hashicorp/nomad

2026-01-07 19:05:42 +03:00 · 2016-11-10 15:40:09 -08:00
parent bd82ea6933 3246151848
commit 8ae2262dfa
6 changed files with 28 additions and 21 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,8 +33,6 @@ IMPROVEMENTS:
  * cli: `nomad node-status` shows node metadata in verbose mode [GH-1841]
  * client: Failed RPCs are retried on all servers [GH-1735]
  * client: Fingerprint and driver blacklist support [GH-1949]
-  * client: Enforce shared allocation directory disk usage [GH-1580]
-  * client: Do not validate the command does not contain spaces [GH-1974]
  * client: Introduce a `secrets/` directory to tasks where sensitive data can
    be written [GH-1681]
  * client/jobspec: Add support for templates that can render static files,
@@ -63,6 +61,7 @@ BUG FIXES:
    [GH-1844]
  * client: Prevent race when persisting state file [GH-1682]
  * client: Retry recoverable errors when starting a driver [GH-1891]
+  * client: Do not validate the command does not contain spaces [GH-1974]
  * client: Fix old services not getting removed from consul on update [GH-1668]
  * client: Preserve permissions of nested directories while chrooting [GH-1960]
  * client: Folder permissions are dropped even when not running as root [GH-1888]
--- a/client/consul_template.go
+++ b/client/consul_template.go
@@ -448,13 +448,15 @@ func runnerConfig(config *config.Config, vaultToken string) (*ctconf.Config, err
 	}

 	// Setup the Vault config
+	// Always set these to ensure nothing is picked up from the environment
+	conf.Vault = &ctconf.VaultConfig{
+		RenewToken: false,
+	}
+	set([]string{"vault", "vault.token", "vault.renew_token"})
 	if config.VaultConfig != nil && config.VaultConfig.IsEnabled() {
-		conf.Vault = &ctconf.VaultConfig{
-			Address:    config.VaultConfig.Addr,
-			Token:      vaultToken,
-			RenewToken: false,
-		}
-		set([]string{"vault", "vault.address", "vault.token", "vault.renew_token"})
+		conf.Vault.Address = config.VaultConfig.Addr
+		conf.Vault.Token = vaultToken
+		set([]string{"vault.address"})

 		if strings.HasPrefix(config.VaultConfig.Addr, "https") || config.VaultConfig.TLSCertFile != "" {
 			verify := config.VaultConfig.TLSSkipVerify == nil || !*config.VaultConfig.TLSSkipVerify
--- a/client/driver/docker.go
+++ b/client/driver/docker.go
@@ -609,7 +609,7 @@ func (d *DockerDriver) containerBinds(driverConfig *DockerDriverConfig, alloc *a

 		// Relative paths are always allowed as they mount within a container
 		// Expand path relative to alloc dir
-		parts[0] = filepath.Join(shared, parts[0])
+		parts[0] = filepath.Join(taskDir, parts[0])
 		binds = append(binds, strings.Join(parts, ":"))
 	}

--- a/client/driver/docker_test.go
+++ b/client/driver/docker_test.go
@@ -1083,7 +1083,12 @@ func TestDockerDriver_VolumesDisabled(t *testing.T) {
 			t.Fatalf("timeout")
 		}

-		if _, err := ioutil.ReadFile(filepath.Join(execCtx.AllocDir.SharedDir, fn)); err != nil {
+		taskDir, ok := execCtx.AllocDir.TaskDirs[task.Name]
+		if !ok {
+			t.Fatalf("Failed to get task dir")
+		}
+
+		if _, err := ioutil.ReadFile(filepath.Join(taskDir, fn)); err != nil {
 			t.Fatalf("unexpected error reading %s: %v", fn, err)
 		}
 	}
--- a/command/agent/command.go
+++ b/command/agent/command.go
@@ -207,6 +207,13 @@ func (c *Command) readConfig() *Config {
 		return nil
 	}

+	// Check to see if we should read the Vault token from the environment
+	if config.Vault.Token == "" {
+		if token, ok := os.LookupEnv("VAULT_TOKEN"); ok {
+			config.Vault.Token = token
+		}
+	}
+
 	if dev {
 		// Skip validation for dev mode
 		return config
@@ -278,13 +285,6 @@ func (c *Command) readConfig() *Config {
 		c.Ui.Error("WARNING: Bootstrap mode enabled! Potentially unsafe operation.")
 	}

-	// Check to see if we should read the Vault token from the environment
-	if config.Vault.Token == "" {
-		if token, ok := os.LookupEnv("VAULT_TOKEN"); ok {
-			config.Vault.Token = token
-		}
-	}
-
 	return config
 }

--- a/website/source/docs/drivers/docker.html.md
+++ b/website/source/docs/drivers/docker.html.md
@@ -166,9 +166,10 @@ The `docker` driver supports the following configuration in the job spec:
    ```

 * `volumes` - (Optional) A list of `host_path:container_path` strings to bind
-  host paths to container paths. Mounting host paths outside of the alloc
-  directory tasks normally have access to can be disabled on clients by setting
-  the `docker.volumes.enabled` option set to false.
+  host paths to container paths. Mounting host paths outside of the allocation
+  directory can be disabled on clients by setting the `docker.volumes.enabled`
+  option set to false. This will limit volumes to directories that exist inside
+  the allocation directory.

    ```hcl
    config {
@@ -177,7 +178,7 @@ The `docker` driver supports the following configuration in the job spec:
        "/path/on/host:/path/in/container",

        # Use relative paths to rebind paths already in the allocation dir
-        "relative/to/alloc:/also/in/container"
+        "relative/to/task:/also/in/container"
      ]
    }
    ```