kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-09 03:45:41 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
17ec5a5aa8218c0ff529b26076a59db96ea91c55
nomad/drivers/shared/executor/proto/executor.proto
Seth Hoenig 191144c3bf drivers/exec: enable setting allow_caps on exec driver 
This PR enables setting allow_caps on the exec driver
plugin configuration, as well as cap_add and cap_drop in
exec task configuration. These options replicate the
functionality already present in the docker task driver.

Important: this change also reduces the default set of
capabilities enabled by the exec driver to match the
default set enabled by the docker driver. Until v1.0.5
the exec task driver would enable all capabilities supported
by the operating system. v1.0.5 removed NET_RAW from that
list of default capabilities, but left may others which
could potentially also be leveraged by compromised tasks.

Important: the "root" user is still special cased when
used with the exec driver. Older versions of Nomad enabled
enabled all capabilities supported by the operating system
for tasks set with the root user. To maintain compatibility
with existing clusters we continue supporting this "feature",
however we maintain support for the legacy set of capabilities
rather than enabling all capabilities now supported on modern
operating systems.
2021-05-17 12:37:40 -06:00

111 lines
2.7 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
package hashicorp.nomad.plugins.executor.proto;
option go_package = "proto";
import "google/protobuf/timestamp.proto";
import "plugins/drivers/proto/driver.proto";
service Executor {
rpc Launch(LaunchRequest) returns (LaunchResponse) {}
rpc Wait(WaitRequest) returns (WaitResponse) {}
rpc Shutdown(ShutdownRequest) returns (ShutdownResponse) {}
rpc UpdateResources(UpdateResourcesRequest) returns (UpdateResourcesResponse) {}
rpc Version(VersionRequest) returns (VersionResponse) {}
rpc Stats(StatsRequest) returns (stream StatsResponse) {}
rpc Signal(SignalRequest) returns (SignalResponse) {}
rpc Exec(ExecRequest) returns (ExecResponse) {}
// buf:lint:ignore RPC_REQUEST_RESPONSE_UNIQUE
rpc ExecStreaming(
stream
// buf:lint:ignore RPC_REQUEST_STANDARD_NAME
hashicorp.nomad.plugins.drivers.proto.ExecTaskStreamingRequest)
returns (
stream
// buf:lint:ignore RPC_RESPONSE_STANDARD_NAME
hashicorp.nomad.plugins.drivers.proto.ExecTaskStreamingResponse
) {}
}
message LaunchRequest {
string cmd = 1;
repeated string args = 2;
hashicorp.nomad.plugins.drivers.proto.Resources resources = 3;
string stdout_path = 4;
string stderr_path = 5;
repeated string env = 6;
string user = 7;
string task_dir = 8;
bool resource_limits = 9;
bool basic_process_cgroup = 10;
repeated hashicorp.nomad.plugins.drivers.proto.Mount mounts = 11;
repeated hashicorp.nomad.plugins.drivers.proto.Device devices = 12;
hashicorp.nomad.plugins.drivers.proto.NetworkIsolationSpec network_isolation = 13;
bool no_pivot_root = 14;
string default_pid_mode = 15;
string default_ipc_mode = 16;
string cpuset_cgroup = 17;
repeated string allow_caps = 18;
}
message LaunchResponse {
ProcessState process = 1;
}
message WaitRequest {}
message WaitResponse{
ProcessState process = 1;
}
message ShutdownRequest {
string signal = 1;
int64 grace_period = 2;
}
message ShutdownResponse {}
message UpdateResourcesRequest{
hashicorp.nomad.plugins.drivers.proto.Resources resources = 1;
}
message UpdateResourcesResponse {}
message VersionRequest {}
message VersionResponse{
string version = 1;
}
message StatsRequest {
int64 interval = 1;
}
message StatsResponse {
hashicorp.nomad.plugins.drivers.proto.TaskStats stats = 1;
}
message SignalRequest {
int32 signal = 1;
}
message SignalResponse {}
message ExecRequest {
google.protobuf.Timestamp deadline = 1;
string cmd = 2;
repeated string args = 3;
}
message ExecResponse {
bytes output = 1;
int32 exit_code = 2;
}
message ProcessState {
int32 pid = 1;
int32 exit_code = 2;
int32 signal = 3;
google.protobuf.Timestamp time = 4;
}
Reference in New Issue View Git Blame Copy Permalink