mirror of
https://github.com/kemko/nomad.git
synced 2026-01-07 19:05:42 +03:00
fd1e40537c
This adds artifact inspection after download to detect any issues with the content fetched. Currently this means checking for any symlinks within the artifact that resolve outside the task or allocation directories. On platforms where lockdown is available (some Linux) this inspection is not performed. The inspection can be disabled with the DisableArtifactInspection option. A dedicated option for disabling this behavior allows the DisableFilesystemIsolation option to be enabled but still have artifacts inspected after download.
80 lines
2.1 KiB
Go
80 lines
2.1 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package getter
|
|
|
|
import (
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/nomad/client/config"
|
|
"github.com/hashicorp/nomad/client/interfaces"
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
)
|
|
|
|
// New creates a Sandbox with the given ArtifactConfig.
|
|
func New(ac *config.ArtifactConfig, logger hclog.Logger) *Sandbox {
|
|
return &Sandbox{
|
|
logger: logger.Named("artifact"),
|
|
ac: ac,
|
|
}
|
|
}
|
|
|
|
// A Sandbox is used to download artifacts.
|
|
type Sandbox struct {
|
|
logger hclog.Logger
|
|
ac *config.ArtifactConfig
|
|
}
|
|
|
|
func (s *Sandbox) Get(env interfaces.EnvReplacer, artifact *structs.TaskArtifact, user string) error {
|
|
s.logger.Debug("get", "source", artifact.GetterSource, "destination", artifact.RelativeDest, "user", user)
|
|
|
|
source, err := getURL(env, artifact)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
destination, err := getDestination(env, artifact)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
mode := getMode(artifact)
|
|
insecure := isInsecure(artifact)
|
|
headers := getHeaders(env, artifact)
|
|
allocDir, taskDir := getWritableDirs(env)
|
|
|
|
params := ¶meters{
|
|
// downloader configuration
|
|
HTTPReadTimeout: s.ac.HTTPReadTimeout,
|
|
HTTPMaxBytes: s.ac.HTTPMaxBytes,
|
|
GCSTimeout: s.ac.GCSTimeout,
|
|
GitTimeout: s.ac.GitTimeout,
|
|
HgTimeout: s.ac.HgTimeout,
|
|
S3Timeout: s.ac.S3Timeout,
|
|
DecompressionLimitFileCount: s.ac.DecompressionLimitFileCount,
|
|
DecompressionLimitSize: s.ac.DecompressionLimitSize,
|
|
DisableArtifactInspection: s.ac.DisableArtifactInspection,
|
|
DisableFilesystemIsolation: s.ac.DisableFilesystemIsolation,
|
|
FilesystemIsolationExtraPaths: s.ac.FilesystemIsolationExtraPaths,
|
|
SetEnvironmentVariables: s.ac.SetEnvironmentVariables,
|
|
|
|
// artifact configuration
|
|
Mode: mode,
|
|
Insecure: insecure,
|
|
Source: source,
|
|
Destination: destination,
|
|
Headers: headers,
|
|
|
|
// task filesystem
|
|
AllocDir: allocDir,
|
|
TaskDir: taskDir,
|
|
User: user,
|
|
Chown: artifact.Chown,
|
|
}
|
|
|
|
if err = s.runCmd(params); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|