Merge branch 'main' into jrasell/gh-13120-binding-rule-rpc-api

hashicorp · Dec 14, 2022 · 4bc823c · 4bc823c
2 parents 4754d09 + 7dbbf6b
commit 4bc823c
Show file tree

Hide file tree

Showing 38 changed files with 1,089 additions and 322 deletions.
diff --git a/.changelog/15518.txt b/.changelog/15518.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where a crashing plugin could panic the Nomad client
+```
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -3,7 +3,8 @@ name: build
 on:
   push:
     branches:
-      - "main"
+      - main
+      - release/**
   workflow_dispatch:
     inputs:
       build-ref:
@@ -36,7 +37,7 @@ jobs:
         # version, because "goenv" can react to it automatically.
         run: |
           echo "Building with Go $(cat .go-version)"
-          echo "::set-output name=go-version::$(cat .go-version)"
+          echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
   get-product-version:
     runs-on: ubuntu-20.04
     outputs:
@@ -49,7 +50,7 @@ jobs:
         id: get-product-version
         run: |
           make version
-          echo "::set-output name=product-version::$(make version)"
+          echo "product-version=$(make version)" >> $GITHUB_OUTPUT
   generate-metadata-file:
     needs: get-product-version
     runs-on: ubuntu-20.04
@@ -75,7 +76,7 @@ jobs:
 
   build-other:
     needs: [get-go-version, get-product-version]
-    runs-on: ubuntu-20.04
+    runs-on: [ custom, linux, xxl, 20.04 ]
     strategy:
       matrix:
         goos: [windows]
@@ -126,7 +127,7 @@ jobs:
 
   build-linux:
     needs: [get-go-version, get-product-version]
-    runs-on: ubuntu-20.04
+    runs-on: [ custom, linux, xxl, 20.04 ]
     strategy:
       matrix:
         goos: [linux]
@@ -293,7 +294,7 @@ jobs:
   #   needs:
   #     - get-product-version
   #     - build
-  #   runs-on: ubuntu-20.04
+  #   runs-on: [ custom, linux, xxl, 20.04 ]
   #   strategy:
   #     matrix:
   #       arch: ["arm", "arm64", "386", "amd64"]

diff --git a/client/allocrunner/taskrunner/getter/params.go b/client/allocrunner/taskrunner/getter/params.go
@@ -21,12 +21,14 @@ import (
 // e.g. https://www.opencve.io/cve/CVE-2022-41716
 type parameters struct {
 	// Config
-	HTTPReadTimeout time.Duration `json:"http_read_timeout"`
-	HTTPMaxBytes    int64         `json:"http_max_bytes"`
-	GCSTimeout      time.Duration `json:"gcs_timeout"`
-	GitTimeout      time.Duration `json:"git_timeout"`
-	HgTimeout       time.Duration `json:"hg_timeout"`
-	S3Timeout       time.Duration `json:"s3_timeout"`
+	HTTPReadTimeout            time.Duration `json:"http_read_timeout"`
+	HTTPMaxBytes               int64         `json:"http_max_bytes"`
+	GCSTimeout                 time.Duration `json:"gcs_timeout"`
+	GitTimeout                 time.Duration `json:"git_timeout"`
+	HgTimeout                  time.Duration `json:"hg_timeout"`
+	S3Timeout                  time.Duration `json:"s3_timeout"`
+	DisableFilesystemIsolation bool          `json:"disable_filesystem_isolation"`
+	SetEnvironmentVariables    string        `json:"set_environment_variables"`
 
 	// Artifact
 	Mode        getter.ClientMode   `json:"artifact_mode"`
@@ -85,6 +87,10 @@ func (p *parameters) Equal(o *parameters) bool {
 		return false
 	case p.S3Timeout != o.S3Timeout:
 		return false
+	case p.DisableFilesystemIsolation != o.DisableFilesystemIsolation:
+		return false
+	case p.SetEnvironmentVariables != o.SetEnvironmentVariables:
+		return false
 	case p.Mode != o.Mode:
 		return false
 	case p.Source != o.Source:

diff --git a/client/allocrunner/taskrunner/getter/params_test.go b/client/allocrunner/taskrunner/getter/params_test.go
@@ -19,6 +19,8 @@ const paramsAsJSON = `
   "git_timeout": 3000000000,
   "hg_timeout": 4000000000,
   "s3_timeout": 5000000000,
+  "disable_filesystem_isolation": true,
+  "set_environment_variables": "",
   "artifact_mode": 2,
   "artifact_source": "https://example.com/file.txt",
   "artifact_destination": "local/out.txt",
@@ -29,12 +31,13 @@ const paramsAsJSON = `
 }`
 
 var paramsAsStruct = &parameters{
-	HTTPReadTimeout: 1 * time.Second,
-	HTTPMaxBytes:    2000,
-	GCSTimeout:      2 * time.Second,
-	GitTimeout:      3 * time.Second,
-	HgTimeout:       4 * time.Second,
-	S3Timeout:       5 * time.Second,
+	HTTPReadTimeout:            1 * time.Second,
+	HTTPMaxBytes:               2000,
+	GCSTimeout:                 2 * time.Second,
+	GitTimeout:                 3 * time.Second,
+	HgTimeout:                  4 * time.Second,
+	S3Timeout:                  5 * time.Second,
+	DisableFilesystemIsolation: true,
 
 	Mode:        getter.ClientModeFile,
 	Source:      "https://example.com/file.txt",

diff --git a/client/allocrunner/taskrunner/getter/sandbox.go b/client/allocrunner/taskrunner/getter/sandbox.go
@@ -39,20 +39,27 @@ func (s *Sandbox) Get(env interfaces.EnvReplacer, artifact *structs.TaskArtifact
 	dir := getTaskDir(env)
 
 	params := &parameters{
-		HTTPReadTimeout: s.ac.HTTPReadTimeout,
-		HTTPMaxBytes:    s.ac.HTTPMaxBytes,
-		GCSTimeout:      s.ac.GCSTimeout,
-		GitTimeout:      s.ac.GitTimeout,
-		HgTimeout:       s.ac.HgTimeout,
-		S3Timeout:       s.ac.S3Timeout,
-		Mode:            mode,
-		Source:          source,
-		Destination:     destination,
-		Headers:         headers,
-		TaskDir:         dir,
+		// downloader configuration
+		HTTPReadTimeout:            s.ac.HTTPReadTimeout,
+		HTTPMaxBytes:               s.ac.HTTPMaxBytes,
+		GCSTimeout:                 s.ac.GCSTimeout,
+		GitTimeout:                 s.ac.GitTimeout,
+		HgTimeout:                  s.ac.HgTimeout,
+		S3Timeout:                  s.ac.S3Timeout,
+		DisableFilesystemIsolation: s.ac.DisableFilesystemIsolation,
+		SetEnvironmentVariables:    s.ac.SetEnvironmentVariables,
+
+		// artifact configuration
+		Mode:        mode,
+		Source:      source,
+		Destination: destination,
+		Headers:     headers,
+
+		// task environment
+		TaskDir: dir,
 	}
 
-	if err = runCmd(params, s.logger); err != nil {
+	if err = s.runCmd(params); err != nil {
 		return err
 	}
 	return nil

diff --git a/client/allocrunner/taskrunner/getter/util.go b/client/allocrunner/taskrunner/getter/util.go
@@ -5,12 +5,14 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"os/exec"
 	"path/filepath"
+	"sort"
 	"strings"
+	"unicode"
 
 	"github.com/hashicorp/go-getter"
-	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/client/interfaces"
 	"github.com/hashicorp/nomad/helper/subproc"
 	"github.com/hashicorp/nomad/nomad/structs"
@@ -96,7 +98,27 @@ func getTaskDir(env interfaces.EnvReplacer) string {
 	return filepath.Dir(p)
 }
 
-func runCmd(env *parameters, logger hclog.Logger) error {
+// environment merges the default minimal environment per-OS with the set of
+// environment variables configured to be inherited from the Client
+func environment(taskDir string, inherit string) []string {
+	chomp := func(s string) []string {
+		return strings.FieldsFunc(s, func(c rune) bool {
+			return c == ',' || unicode.IsSpace(c)
+		})
+	}
+	env := defaultEnvironment(taskDir)
+	for _, name := range chomp(inherit) {
+		env[name] = os.Getenv(name)
+	}
+	result := make([]string, 0, len(env))
+	for k, v := range env {
+		result = append(result, fmt.Sprintf("%s=%s", k, v))
+	}
+	sort.Strings(result)
+	return result
+}
+
+func (s *Sandbox) runCmd(env *parameters) error {
 	// find the nomad process
 	bin := subproc.Self()
 
@@ -107,21 +129,21 @@ func runCmd(env *parameters, logger hclog.Logger) error {
 	// start the subprocess, passing in parameters via stdin
 	output := new(bytes.Buffer)
 	cmd := exec.CommandContext(ctx, bin, SubCommand)
-	cmd.Env = minimalVars(env.TaskDir)
+	cmd.Env = environment(env.TaskDir, env.SetEnvironmentVariables)
 	cmd.Stdin = env.reader()
 	cmd.Stdout = output
 	cmd.Stderr = output
 	cmd.SysProcAttr = attributes()
 
 	// start & wait for the subprocess to terminate
 	if err := cmd.Run(); err != nil {
-		subproc.Log(output, logger.Error)
+		subproc.Log(output, s.logger.Error)
 		return &Error{
 			URL:         env.Source,
 			Err:         fmt.Errorf("getter subprocess failed: %v", err),
 			Recoverable: true,
 		}
 	}
-	subproc.Log(output, logger.Debug)
+	subproc.Log(output, s.logger.Debug)
 	return nil
 }
diff --git a/client/allocrunner/taskrunner/getter/util_default.go b/client/allocrunner/taskrunner/getter/util_default.go
@@ -3,7 +3,6 @@
 package getter
 
 import (
-	"fmt"
 	"path/filepath"
 	"syscall"
 )
@@ -27,13 +26,13 @@ func credentials() (uint32, uint32) {
 	return uint32(uid), uint32(gid)
 }
 
-// minimalVars returns the minimal environment set for artifact
-// downloader sandbox
-func minimalVars(taskDir string) []string {
+// defaultEnvironment is the default minimal environment variables for Unix-like
+// operating systems.
+func defaultEnvironment(taskDir string) map[string]string {
 	tmpDir := filepath.Join(taskDir, "tmp")
-	return []string{
-		fmt.Sprintf("PATH=/usr/local/bin:/usr/bin:/bin"),
-		fmt.Sprintf("TMPDIR=%s", tmpDir),
+	return map[string]string{
+		"PATH":   "/usr/local/bin:/usr/bin:/bin",
+		"TMPDIR": tmpDir,
 	}
 }
 

diff --git a/client/allocrunner/taskrunner/getter/util_linux.go b/client/allocrunner/taskrunner/getter/util_linux.go
@@ -3,7 +3,6 @@
 package getter
 
 import (
-	"fmt"
 	"path/filepath"
 	"syscall"
 
@@ -49,13 +48,12 @@ func credentials() (uint32, uint32) {
 	}
 }
 
-// minimalVars returns the minimal environment set for artifact
-// downloader sandbox
-func minimalVars(taskDir string) []string {
+// defaultEnvironment is the default minimal environment variables for Linux.
+func defaultEnvironment(taskDir string) map[string]string {
 	tmpDir := filepath.Join(taskDir, "tmp")
-	return []string{
-		"PATH=/usr/local/bin:/usr/bin:/bin",
-		fmt.Sprintf("TMPDIR=%s", tmpDir),
+	return map[string]string{
+		"PATH":   "/usr/local/bin:/usr/bin:/bin",
+		"TMPDIR": tmpDir,
 	}
 }