mirror of
https://github.com/kemko/nomad.git
synced 2026-01-07 02:45:42 +03:00
f1ce127524
* jobspec: add a chown option to artifact block This PR adds a boolean 'chown' field to the artifact block. It indicates whether the Nomad client should chown the downloaded files and directories to be owned by the task.user. This is useful for drivers like raw_exec and exec2 which are subject to the host filesystem user permissions structure. Before, these drivers might not be able to use or manage the downloaded artifacts since they would be owned by the root user on a typical Nomad client configuration. * api: no need for pointer of chown field
112 lines
2.7 KiB
Go
112 lines
2.7 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package getter
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"syscall"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/hashicorp/nomad/client/config"
|
|
"github.com/hashicorp/nomad/client/testutil"
|
|
"github.com/hashicorp/nomad/helper/testlog"
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
"github.com/shoenig/test/must"
|
|
)
|
|
|
|
func artifactConfig(timeout time.Duration) *config.ArtifactConfig {
|
|
return &config.ArtifactConfig{
|
|
HTTPReadTimeout: timeout,
|
|
HTTPMaxBytes: 1e6,
|
|
GCSTimeout: timeout,
|
|
GitTimeout: timeout,
|
|
HgTimeout: timeout,
|
|
S3Timeout: timeout,
|
|
}
|
|
}
|
|
|
|
// comprehensive scenarios tested in e2e/artifact
|
|
|
|
func TestSandbox_Get_http(t *testing.T) {
|
|
testutil.RequireRoot(t)
|
|
logger := testlog.HCLogger(t)
|
|
|
|
ac := artifactConfig(10 * time.Second)
|
|
sbox := New(ac, logger)
|
|
|
|
_, taskDir := SetupDir(t)
|
|
env := noopTaskEnv(taskDir)
|
|
|
|
artifact := &structs.TaskArtifact{
|
|
GetterSource: "https://raw.githubusercontent.com/hashicorp/go-set/main/go.mod",
|
|
RelativeDest: "local/downloads",
|
|
}
|
|
|
|
err := sbox.Get(env, artifact, "nobody")
|
|
must.NoError(t, err)
|
|
|
|
b, err := os.ReadFile(filepath.Join(taskDir, "local", "downloads", "go.mod"))
|
|
must.NoError(t, err)
|
|
must.StrContains(t, string(b), "module github.com/hashicorp/go-set")
|
|
}
|
|
|
|
func TestSandbox_Get_insecure_http(t *testing.T) {
|
|
testutil.RequireRoot(t)
|
|
logger := testlog.HCLogger(t)
|
|
|
|
ac := artifactConfig(10 * time.Second)
|
|
sbox := New(ac, logger)
|
|
|
|
_, taskDir := SetupDir(t)
|
|
env := noopTaskEnv(taskDir)
|
|
|
|
srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer srv.Close()
|
|
|
|
artifact := &structs.TaskArtifact{
|
|
GetterSource: srv.URL,
|
|
RelativeDest: "local/downloads",
|
|
}
|
|
|
|
err := sbox.Get(env, artifact, "nobody")
|
|
must.Error(t, err)
|
|
must.StrContains(t, err.Error(), "x509: certificate signed by unknown authority")
|
|
|
|
artifact.GetterInsecure = true
|
|
err = sbox.Get(env, artifact, "nobody")
|
|
must.NoError(t, err)
|
|
}
|
|
|
|
func TestSandbox_Get_chown(t *testing.T) {
|
|
testutil.RequireRoot(t)
|
|
logger := testlog.HCLogger(t)
|
|
|
|
ac := artifactConfig(10 * time.Second)
|
|
sbox := New(ac, logger)
|
|
|
|
_, taskDir := SetupDir(t)
|
|
env := noopTaskEnv(taskDir)
|
|
|
|
artifact := &structs.TaskArtifact{
|
|
GetterSource: "https://raw.githubusercontent.com/hashicorp/go-set/main/go.mod",
|
|
RelativeDest: "local/downloads",
|
|
Chown: true,
|
|
}
|
|
|
|
err := sbox.Get(env, artifact, "nobody")
|
|
must.NoError(t, err)
|
|
|
|
info, err := os.Stat(filepath.Join(taskDir, "local", "downloads"))
|
|
must.NoError(t, err)
|
|
|
|
uid := info.Sys().(*syscall.Stat_t).Uid
|
|
must.Eq(t, 65534, uid) // nobody's conventional uid
|
|
}
|