kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-02 00:15:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
65ec00da1d0b61986d19965166983dc4f1b93619
nomad/client/allocdir/fs_linux.go
Tim Gross b25f1b66ce resources: allow job authors to configure size of secrets tmpfs (#23696) 
On supported platforms, the secrets directory is a 1MiB tmpfs. But some tasks
need larger space for downloading large secrets. This is especially the case for
tasks using `templates`, which need extra room to write a temporary file to the
secrets directory that gets renamed to the old file atomically.

This changeset allows increasing the size of the tmpfs in the `resources`
block. Because this is a memory resource, we need to include it in the memory we
allocate for scheduling purposes. The task is already prevented from using more
memory in the tmpfs than the `resources.memory` field allows, but can bypass
that limit by writing to the tmpfs via `template` or `artifact` blocks.

Therefore, we need to account for the size of the tmpfs in the allocation
resources. Simply adding it to the memory needed when we create the allocation
allows it to be accounted for in all downstream consumers, and then we'll
subtract that amount from the memory resources just before configuring the task
driver.

For backwards compatibility, the default value of 1MiB is "free" and ignored by
the scheduler. Otherwise we'd be increasing the allocated resources for every
existing alloc, which could cause problems across upgrades. If a user explicitly
sets `resources.secrets = 1` it will no longer be free.

Fixes: https://github.com/hashicorp/nomad/issues/2481
Ref: https://hashicorp.atlassian.net/browse/NET-10070
2024-08-05 16:06:58 -04:00

107 lines
2.6 KiB
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
//go:build linux
package allocdir
import (
"fmt"
"os"
"path/filepath"
"syscall"
"golang.org/x/sys/unix"
)
const (
// secretMarker is the filename of the marker created so Nomad doesn't
// try to mount the secrets tmpfs more than once
secretMarker = ".nomad-mount"
)
// linkDir bind mounts src to dst as Linux doesn't support hardlinking
// directories.
func linkDir(src, dst string) error {
if err := os.MkdirAll(dst, fileMode777); err != nil {
return err
}
return syscall.Mount(src, dst, "", syscall.MS_BIND, "")
}
// mountDir bind mounts old to next using the given file mode.
func mountDir(old, next string, uid, gid int, mode os.FileMode) error {
if err := os.MkdirAll(next, mode); err != nil {
return err
}
opts := unix.MS_BIND | unix.MS_NOSUID | unix.MS_NOATIME
if err := unix.Mount(old, next, "", uintptr(opts), ""); err != nil {
return err
}
if err := os.Chmod(next, mode); err != nil {
return err
}
return os.Chown(next, uid, gid)
}
// unlinkDir unmounts a bind mounted directory as Linux doesn't support
// hardlinking directories. If the dir is already unmounted no error is
// returned.
func unlinkDir(dir string) error {
if err := syscall.Unmount(dir, 0); err != nil {
if err != syscall.EINVAL {
return err
}
}
return nil
}
// createSecretDir creates the secrets dir folder at the given path using a
// tmpfs
func createSecretDir(dir string, size int) error {
// Only mount the tmpfs if we are root
if unix.Geteuid() == 0 {
if err := os.MkdirAll(dir, fileMode777); err != nil {
return err
}
// Check for marker file and skip mounting if it exists
marker := filepath.Join(dir, secretMarker)
if _, err := os.Stat(marker); err == nil {
return nil
}
flags := uintptr(syscall.MS_NOEXEC)
options := fmt.Sprintf("size=%dm", size)
if err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options); err != nil {
return os.NewSyscallError("mount", err)
}
// Create the marker file so we don't try to mount more than once
f, err := os.OpenFile(marker, os.O_RDWR|os.O_CREATE, fileMode666)
if err != nil {
// Hard fail since if this fails something is really wrong
return err
}
f.Close()
return nil
}
return os.MkdirAll(dir, fileMode777)
}
// createSecretDir removes the secrets dir folder
func removeSecretDir(dir string) error {
if unix.Geteuid() == 0 {
if err := unlinkDir(dir); err != nil {
// Ignore invalid path errors
if err != syscall.ENOENT {
return os.NewSyscallError("unmount", err)
}
}
}
return os.RemoveAll(dir)
}
Reference in New Issue View Git Blame Copy Permalink