From a420732424590eb792abc729744d2c1f168d2ca4 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Tue, 19 Nov 2024 10:21:14 -0500 Subject: [PATCH] consul: allow non-root Nomad to rewrite token (#24410) When a task restarts, the Nomad client may need to rewrite the Consul token, but it's created with permissions that prevent a non-root agent from writing to it. While Nomad clients should be run as root (currently), it's harmless to allow whatever user the Nomad agent is running as to be able to write to it, and that's one less barrier to rootless Nomad. Ref: https://github.com/hashicorp/nomad/issues/23859#issuecomment-2465757392 --- .changelog/24410.txt | 3 +++ client/allocrunner/taskrunner/consul_hook.go | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 .changelog/24410.txt diff --git a/.changelog/24410.txt b/.changelog/24410.txt new file mode 100644 index 000000000..92d5913a5 --- /dev/null +++ b/.changelog/24410.txt @@ -0,0 +1,3 @@ +```release-note:bug +consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart +``` diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go index a6ecbadfc..e8b03cc76 100644 --- a/client/allocrunner/taskrunner/consul_hook.go +++ b/client/allocrunner/taskrunner/consul_hook.go @@ -25,7 +25,7 @@ const ( // consulTokenFilePerms is the level of file permissions granted on the file in // the secrets directory for the task - consulTokenFilePerms = 0440 + consulTokenFilePerms = 0640 ) type consulHook struct {