Merge branch 'main' into f-1.3-boogie-nights

.changelog/12252.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: make buttons with confirmation more descriptive of their actions
+```

.changelog/12274.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Enable support for cgroups v2
+```

.changelog/12337.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where single-use access modes were not enforced during validation
+```

.changelog/12352.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where volume snapshot timestamps were always zero values
+```

.changelog/12359.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where plugins written in NodeJS could fail to fingerprint
+```

.changelog/12360.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+csi: Added `-secret` and `-parameter` flags to `volume snapshot create` command
+```

.changelog/12362.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+server: store and check previous Raft protocol version to prevent downgrades
+```

.changelog/12369.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Write peers.json file with correct permissions
+```

.github/workflows/test-core.yaml

@@ -20,6 +20,7 @@ on:
       - 'ui/*'
       - 'website/*'
 env:
+  VERBOSE: 1
   GO_VERSION: 1.17.7
   GOBIN: /usr/local/bin
   GOTESTARCH: amd64
@@ -96,7 +97,7 @@ jobs:
           - client/devicemanager
           - client/dynamicplugins
           - client/fingerprint
-          # - client/lib/...
+          - client/lib/...
           - client/logmon
           - client/pluginmanager
           - client/state
@@ -105,8 +106,8 @@ jobs:
           - client/taskenv
           - command
           - command/agent
-          # - drivers/docker
-          # - drivers/exec
+          - drivers/docker
+          - drivers/exec
           - drivers/java
           - drivers/rawexec
           - helper/...

GNUmakefile

@@ -301,10 +301,7 @@ test-nomad: dev ## Run Nomad test suites
 		-cover \
 		-timeout=20m \
 		-tags "$(GO_TAGS)" \
-		$(GOTEST_PKGS) $(if $(VERBOSE), >test.log ; echo $$? > exit-code)
-	@if [ $(VERBOSE) ] ; then \
-		bash -C "$(PROJECT_ROOT)/scripts/test_check.sh" ; \
-	fi
+		$(GOTEST_PKGS)
 
 .PHONY: test-nomad-module
 test-nomad-module: dev ## Run Nomad test suites on a sub-module
@@ -314,10 +311,7 @@ test-nomad-module: dev ## Run Nomad test suites on a sub-module
 		-cover \
 		-timeout=20m \
 		-tags "$(GO_TAGS)" \
-		./... $(if $(VERBOSE), >test.log ; echo $$? > exit-code)
-	@if [ $(VERBOSE) ] ; then \
-		bash -C "$(PROJECT_ROOT)/scripts/test_check.sh" ; \
-	fi
+		./...
 
 .PHONY: e2e-test
 e2e-test: dev ## Run the Nomad e2e test suite

api/csi.go

@@ -120,6 +120,10 @@ func (v *CSIVolumes) CreateSnapshot(snap *CSISnapshot, w *WriteOptions) (*CSISna
 	req := &CSISnapshotCreateRequest{
 		Snapshots: []*CSISnapshot{snap},
 	}
+	if w == nil {
+		w = &WriteOptions{}
+	}
+	w.SetHeadersFromCSISecrets(snap.Secrets)
 	resp := &CSISnapshotCreateResponse{}
 	meta, err := v.client.write("/v1/volumes/snapshot", req, resp, w)
 	return resp, meta, err

api/go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/kr/pretty v0.3.0
 	github.com/mitchellh/go-testing-interface v1.14.1
 	github.com/mitchellh/mapstructure v1.4.3
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.7.1
 )
 
 require (

api/go.sum

@@ -30,8 +30,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=

client/alloc_endpoint_test.go

@@ -992,6 +992,7 @@ func TestAlloc_ExecStreaming_ACL_WithIsolation_Image(t *testing.T) {
 // TestAlloc_ExecStreaming_ACL_WithIsolation_Chroot asserts that token only needs
 // alloc-exec acl policy when chroot isolation is used
 func TestAlloc_ExecStreaming_ACL_WithIsolation_Chroot(t *testing.T) {
+	ci.SkipSlow(t, "flaky on GHA; too much disk IO")
 	ci.Parallel(t)
 
 	if runtime.GOOS != "linux" || unix.Geteuid() != 0 {

client/allocrunner/testing.go

@@ -75,7 +75,7 @@ func testAllocRunnerConfig(t *testing.T, alloc *structs.Allocation) (*Config, fu
 		PrevAllocMigrator:  allocwatcher.NoopPrevAlloc{},
 		DeviceManager:      devicemanager.NoopMockManager(),
 		DriverManager:      drivermanager.TestDriverManager(t),
-		CpusetManager:      cgutil.NoopCpusetManager(),
+		CpusetManager:      new(cgutil.NoopCpusetManager),
 		ServersContactedCh: make(chan struct{}),
 		ServiceRegWrapper:  wrapper.NewHandlerWrapper(clientConf.Logger, consulRegMock, nomadRegMock),
 	}

client/client.go

@@ -377,7 +377,7 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulProxie
 		invalidAllocs:        make(map[string]struct{}),
 		serversContactedCh:   make(chan struct{}),
 		serversContactedOnce: sync.Once{},
-		cpusetManager:        cgutil.NewCpusetManager(cfg.CgroupParent, logger.Named("cpuset_manager")),
+		cpusetManager:        cgutil.CreateCPUSetManager(cfg.CgroupParent, logger),
 		EnterpriseClient:     newEnterpriseClient(logger),
 	}
 
@@ -675,19 +675,23 @@ func (c *Client) init() error {
 
 	// Ensure cgroups are created on linux platform
 	if runtime.GOOS == "linux" && c.cpusetManager != nil {
-		err := c.cpusetManager.Init()
-		if err != nil {
-			// if the client cannot initialize the cgroup then reserved cores will not be reported and the cpuset manager
-			// will be disabled. this is common when running in dev mode under a non-root user for example
-			c.logger.Warn("could not initialize cpuset cgroup subsystem, cpuset management disabled", "error", err)
-			c.cpusetManager = cgutil.NoopCpusetManager()
+		// use the client configuration for reservable_cores if set
+		cores := c.config.ReservableCores
+		if len(cores) == 0 {
+			// otherwise lookup the effective cores from the parent cgroup
+			cores, _ = cgutil.GetCPUsFromCgroup(c.config.CgroupParent)
+		}
+		if cpuErr := c.cpusetManager.Init(cores); cpuErr != nil {
+			// If the client cannot initialize the cgroup then reserved cores will not be reported and the cpuset manager
+			// will be disabled. this is common when running in dev mode under a non-root user for example.
+			c.logger.Warn("failed to initialize cpuset cgroup subsystem, cpuset management disabled", "error", cpuErr)
+			c.cpusetManager = new(cgutil.NoopCpusetManager)
 		}
 	}
 	return nil
 }
 
-// reloadTLSConnections allows a client to reload its TLS configuration on the
-// fly
+// reloadTLSConnections allows a client to reload its TLS configuration on the fly
 func (c *Client) reloadTLSConnections(newConfig *nconfig.TLSConfig) error {
 	var tlsWrap tlsutil.RegionWrapper
 	if newConfig != nil && newConfig.EnableRPC {

client/config/config.go

@@ -778,7 +778,7 @@ func DefaultConfig() *Config {
 		CNIConfigDir:       "/opt/cni/config",
 		CNIInterfacePrefix: "eth",
 		HostNetworks:       map[string]*structs.ClientHostNetworkConfig{},
-		CgroupParent:       cgutil.DefaultCgroupParent,
+		CgroupParent:       cgutil.GetCgroupParent(""),
 		MaxDynamicPort:     structs.DefaultMinDynamicPort,
 		MinDynamicPort:     structs.DefaultMaxDynamicPort,
 	}

client/fingerprint/cgroup.go

@@ -3,55 +3,86 @@ package fingerprint
 import (
 	"time"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/client/lib/cgutil"
-
-	log "github.com/hashicorp/go-hclog"
 )
 
 const (
+	cgroupAvailable   = "available"
 	cgroupUnavailable = "unavailable"
-	interval          = 15
+
+	cgroupMountPointAttribute = "unique.cgroup.mountpoint"
+	cgroupVersionAttribute    = "unique.cgroup.version"
+
+	cgroupDetectInterval = 15 * time.Second
 )
 
 type CGroupFingerprint struct {
-	logger             log.Logger
+	logger             hclog.Logger
 	lastState          string
 	mountPointDetector MountPointDetector
+	versionDetector    CgroupVersionDetector
 }
 
-// An interface to isolate calls to the cgroup library
-// This facilitates testing where we can implement
-// fake mount points to test various code paths
+// MountPointDetector isolates calls to the cgroup library.
+//
+// This facilitates testing where we can implement fake mount points to test
+// various code paths.
 type MountPointDetector interface {
+	// MountPoint returns a cgroup mount-point.
+	//
+	// In v1, this is one arbitrary subsystem (e.g. /sys/fs/cgroup/cpu).
+	//
+	// In v2, this is the actual root mount point (i.e. /sys/fs/cgroup).
 	MountPoint() (string, error)
 }
 
-// Implements the interface detector which calls the cgroups library directly
+// DefaultMountPointDetector implements the interface detector which calls the cgroups
+// library directly
 type DefaultMountPointDetector struct {
 }
 
 // MountPoint calls out to the default cgroup library.
-func (b *DefaultMountPointDetector) MountPoint() (string, error) {
+func (*DefaultMountPointDetector) MountPoint() (string, error) {
 	return cgutil.FindCgroupMountpointDir()
 }
 
+// CgroupVersionDetector isolates calls to the cgroup library.
+type CgroupVersionDetector interface {
+	// CgroupVersion returns v1 or v2 depending on the cgroups version in use.
+	CgroupVersion() string
+}
+
+// DefaultCgroupVersionDetector implements the version detector which calls the
+// cgroups library directly.
+type DefaultCgroupVersionDetector struct {
+}
+
+func (*DefaultCgroupVersionDetector) CgroupVersion() string {
+	if cgutil.UseV2 {
+		return "v2"
+	}
+	return "v1"
+}
+
 // NewCGroupFingerprint returns a new cgroup fingerprinter
-func NewCGroupFingerprint(logger log.Logger) Fingerprint {
-	f := &CGroupFingerprint{
+func NewCGroupFingerprint(logger hclog.Logger) Fingerprint {
+	return &CGroupFingerprint{
 		logger:             logger.Named("cgroup"),
 		lastState:          cgroupUnavailable,
-		mountPointDetector: &DefaultMountPointDetector{},
+		mountPointDetector: new(DefaultMountPointDetector),
+		versionDetector:    new(DefaultCgroupVersionDetector),
 	}
-	return f
 }
 
 // clearCGroupAttributes clears any node attributes related to cgroups that might
 // have been set in a previous fingerprint run.
 func (f *CGroupFingerprint) clearCGroupAttributes(r *FingerprintResponse) {
-	r.RemoveAttribute("unique.cgroup.mountpoint")
+	r.RemoveAttribute(cgroupMountPointAttribute)
+	r.RemoveAttribute(cgroupVersionAttribute)
 }
 
 // Periodic determines the interval at which the periodic fingerprinter will run.
 func (f *CGroupFingerprint) Periodic() (bool, time.Duration) {
-	return true, interval * time.Second
+	return true, cgroupDetectInterval
 }

client/fingerprint/cgroup_default.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 package fingerprint
 

client/fingerprint/cgroup_linux.go

@@ -1,37 +1,35 @@
 //go:build linux
-// +build linux
 
 package fingerprint
 
 import (
 	"fmt"
 )
 
-const (
-	cgroupAvailable = "available"
-)
-
-// Fingerprint tries to find a valid cgroup mount point
+// Fingerprint tries to find a valid cgroup mount point and the version of cgroups
+// if a mount-point is present.
 func (f *CGroupFingerprint) Fingerprint(req *FingerprintRequest, resp *FingerprintResponse) error {
 	mount, err := f.mountPointDetector.MountPoint()
 	if err != nil {
 		f.clearCGroupAttributes(resp)
-		return fmt.Errorf("Failed to discover cgroup mount point: %s", err)
+		return fmt.Errorf("failed to discover cgroup mount point: %s", err)
 	}
 
-	// Check if a cgroup mount point was found
+	// Check if a cgroup mount point was found.
 	if mount == "" {
-
 		f.clearCGroupAttributes(resp)
-
 		if f.lastState == cgroupAvailable {
-			f.logger.Info("cgroups are unavailable")
+			f.logger.Warn("cgroups are now unavailable")
 		}
 		f.lastState = cgroupUnavailable
 		return nil
 	}
 
-	resp.AddAttribute("unique.cgroup.mountpoint", mount)
+	// Check the version in use.
+	version := f.versionDetector.CgroupVersion()
+
+	resp.AddAttribute(cgroupMountPointAttribute, mount)
+	resp.AddAttribute(cgroupVersionAttribute, version)
 	resp.Detected = true
 
 	if f.lastState == cgroupUnavailable {