consul: allow non-root Nomad to rewrite token (#24410)

When a task restarts, the Nomad client may need to rewrite the Consul token, but it's created with permissions that prevent a non-root agent from writing to it. While Nomad clients should be run as root (currently), it's harmless to allow whatever user the Nomad agent is running as to be able to write to it, and that's one less barrier to rootless Nomad. Ref: https://github.com/hashicorp/nomad/issues/23859#issuecomment-2465757392
2026-01-01 16:05:42 +03:00 · 2024-11-19 10:21:14 -05:00
parent dc501339da
commit a420732424
2 changed files with 4 additions and 1 deletions
--- a/.changelog/24410.txt
+++ b/.changelog/24410.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart
+```
--- a/client/allocrunner/taskrunner/consul_hook.go
+++ b/client/allocrunner/taskrunner/consul_hook.go
@@ -25,7 +25,7 @@ const (

 	// consulTokenFilePerms is the level of file permissions granted on the file in
 	// the secrets directory for the task
-	consulTokenFilePerms = 0440
+	consulTokenFilePerms = 0640
 )

 type consulHook struct {