mirror of
https://github.com/kemko/nomad.git
synced 2026-01-07 02:45:42 +03:00
09bd11383c
This PR adjusts the default location of -alloc-mounts-dir path to be a
sibling of the -data-dir path rather than a child. This is because on a
production-hardened systems the data dir is supposed to be chmod 0700
owned by root - preventing the exec2 task driver (and others using
unveil file system isolation features) from working properly.
For reference the directory structure from -data-dir now looks like this
after running an example job. Under the alloc_mounts directory, task
specific directories are mode 0710 and owned by the task user (which
may be a dynamic user UID/GID).
➜ sudo tree -p -d -u /tmp/mynomad
[drwxrwxr-x shoenig ] /tmp/mynomad
├── [drwx--x--x root ] alloc_mounts
│ └── [drwx--x--- 80552 ] c753b71d-c6a1-3370-1f59-47ab838fd8a6-mytask
│ ├── [drwxrwxrwx nobody ] alloc
│ │ ├── [drwxrwxrwx nobody ] data
│ │ ├── [drwxrwxrwx nobody ] logs
│ │ └── [drwxrwxrwx nobody ] tmp
│ ├── [drwxrwxrwx nobody ] local
│ ├── [drwxr-xr-x root ] private
│ ├── [drwx--x--- 80552 ] secrets
│ └── [drwxrwxrwt nobody ] tmp
└── [drwx------ root ] data
├── [drwx--x--x root ] alloc
│ └── [drwxr-xr-x root ] c753b71d-c6a1-3370-1f59-47ab838fd8a6
│ ├── [drwxrwxrwx nobody ] alloc
│ │ ├── [drwxrwxrwx nobody ] data
│ │ ├── [drwxrwxrwx nobody ] logs
│ │ └── [drwxrwxrwx nobody ] tmp
│ └── [drwx--x--- 80552 ] mytask
│ ├── [drwxrwxrwx nobody ] alloc
│ │ ├── [drwxrwxrwx nobody ] data
│ │ ├── [drwxrwxrwx nobody ] logs
│ │ └── [drwxrwxrwx nobody ] tmp
│ ├── [drwxrwxrwx nobody ] local
│ ├── [drwxrwxrwx nobody ] private
│ ├── [drwx--x--- 80552 ] secrets
│ └── [drwxrwxrwt nobody ] tmp
├── [drwx------ root ] client
└── [drwxr-xr-x root ] server
├── [drwx------ root ] keystore
├── [drwxr-xr-x root ] raft
│ └── [drwxr-xr-x root ] snapshots
└── [drwxr-xr-x root ] serf
32 directories
46 KiB
46 KiB