From 56466e77e0c976131eb0f4a27a5efb048098307f Mon Sep 17 00:00:00 2001 From: Thomas Lefebvre Date: Thu, 13 Feb 2020 11:12:46 -0800 Subject: [PATCH] client: support no_pivot_root in exec driver configuration --- drivers/exec/driver.go | 26 ++- drivers/exec/driver_test.go | 34 ++++ drivers/shared/executor/client.go | 1 + drivers/shared/executor/executor.go | 5 + drivers/shared/executor/executor_linux.go | 3 + drivers/shared/executor/proto/executor.pb.go | 164 ++++++++++--------- drivers/shared/executor/proto/executor.proto | 1 + drivers/shared/executor/server.go | 1 + website/pages/docs/drivers/exec.mdx | 7 + 9 files changed, 164 insertions(+), 78 deletions(-) diff --git a/drivers/exec/driver.go b/drivers/exec/driver.go index 6c0bf7c99e03..8d8b46e23b62 100644 --- a/drivers/exec/driver.go +++ b/drivers/exec/driver.go @@ -59,7 +59,12 @@ var ( } // configSpec is the hcl specification returned by the ConfigSchema RPC - configSpec = hclspec.NewObject(map[string]*hclspec.Spec{}) + configSpec = hclspec.NewObject(map[string]*hclspec.Spec{ + "no_pivot_root": hclspec.NewDefault( + hclspec.NewAttr("no_pivot_root", "bool", false), + hclspec.NewLiteral("false"), + ), + }) // taskConfigSpec is the hcl specification for the driver config section of // a task within a job. It is returned in the TaskConfigSchema RPC @@ -88,6 +93,9 @@ type Driver struct { // event can be broadcast to all callers eventer *eventer.Eventer + // config is the driver configuration set by the SetConfig RPC + config Config + // nomadConfig is the client config from nomad nomadConfig *base.ClientDriverConfig @@ -111,6 +119,13 @@ type Driver struct { fingerprintLock sync.Mutex } +// Config is the driver configuration set by the SetConfig RPC call +type Config struct { + // NoPivotRoot disables the use of pivot_root, useful when the root partition + // is on ramdisk + NoPivotRoot bool `codec:"no_pivot_root"` +} + // TaskConfig is the driver configuration of a task within a job type TaskConfig struct { Command string `codec:"command"` @@ -171,6 +186,14 @@ func (d *Driver) ConfigSchema() (*hclspec.Spec, error) { } func (d *Driver) SetConfig(cfg *base.Config) error { + var config Config + if len(cfg.PluginConfig) != 0 { + if err := base.MsgPackDecode(cfg.PluginConfig, &config); err != nil { + return err + } + } + + d.config = config if cfg != nil && cfg.AgentConfig != nil { d.nomadConfig = cfg.AgentConfig.Driver } @@ -352,6 +375,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive Env: cfg.EnvList(), User: user, ResourceLimits: true, + NoPivotRoot: d.config.NoPivotRoot, Resources: cfg.Resources, TaskDir: cfg.TaskDir().Dir, StdoutPath: cfg.StdoutPath, diff --git a/drivers/exec/driver_test.go b/drivers/exec/driver_test.go index 747fac64764b..de1138e32cf0 100644 --- a/drivers/exec/driver_test.go +++ b/drivers/exec/driver_test.go @@ -22,6 +22,7 @@ import ( "github.com/hashicorp/nomad/helper/testtask" "github.com/hashicorp/nomad/helper/uuid" "github.com/hashicorp/nomad/nomad/structs" + basePlug "github.com/hashicorp/nomad/plugins/base" "github.com/hashicorp/nomad/plugins/drivers" dtestutil "github.com/hashicorp/nomad/plugins/drivers/testutils" "github.com/hashicorp/nomad/testutil" @@ -671,3 +672,36 @@ config { require.EqualValues(t, expected, tc) } + +func TestExecDriver_NoPivotRoot(t *testing.T) { + t.Parallel() + require := require.New(t) + ctestutils.ExecCompatible(t) + + d := NewExecDriver(testlog.HCLogger(t)) + harness := dtestutil.NewDriverHarness(t, d) + + config := &Config{NoPivotRoot: true} + var data []byte + require.NoError(basePlug.MsgPackEncode(&data, config)) + bconfig := &basePlug.Config{PluginConfig: data} + require.NoError(harness.SetConfig(bconfig)) + + task := &drivers.TaskConfig{ + ID: uuid.Generate(), + Name: "sleep", + Resources: testResources, + } + cleanup := harness.MkAllocDir(task, false) + defer cleanup() + + tc := &TaskConfig{ + Command: "/bin/sleep", + Args: []string{"100"}, + } + require.NoError(task.EncodeConcreteDriverConfig(&tc)) + + handle, _, err := harness.StartTask(task) + require.NoError(err) + require.NotNil(handle) +} diff --git a/drivers/shared/executor/client.go b/drivers/shared/executor/client.go index 057518e1f9fa..8271e008e155 100644 --- a/drivers/shared/executor/client.go +++ b/drivers/shared/executor/client.go @@ -41,6 +41,7 @@ func (c *grpcExecutorClient) Launch(cmd *ExecCommand) (*ProcessState, error) { TaskDir: cmd.TaskDir, ResourceLimits: cmd.ResourceLimits, BasicProcessCgroup: cmd.BasicProcessCgroup, + NoPivotRoot: cmd.NoPivotRoot, Mounts: drivers.MountsToProto(cmd.Mounts), Devices: drivers.DevicesToProto(cmd.Devices), NetworkIsolation: drivers.NetworkIsolationSpecToProto(cmd.NetworkIsolation), diff --git a/drivers/shared/executor/executor.go b/drivers/shared/executor/executor.go index 84c6f82251fa..15a41bbce9c3 100644 --- a/drivers/shared/executor/executor.go +++ b/drivers/shared/executor/executor.go @@ -121,6 +121,11 @@ type ExecCommand struct { // Using the cgroup does allow more precise cleanup of processes. BasicProcessCgroup bool + // NoPivotRoot disables using pivot_root for isolation, useful when the root + // partition is on a ramdisk which does not support pivot_root, + // see man 2 pivot_root + NoPivotRoot bool + // Mounts are the host paths to be be made available inside rootfs Mounts []*drivers.MountConfig diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go index 7a9c55b8ae7a..77f133a81a55 100644 --- a/drivers/shared/executor/executor_linux.go +++ b/drivers/shared/executor/executor_linux.go @@ -573,6 +573,9 @@ func configureIsolation(cfg *lconfigs.Config, command *ExecCommand) error { // set the new root directory for the container cfg.Rootfs = command.TaskDir + // disable pivot_root if set in the driver's configuration + cfg.NoPivotRoot = command.NoPivotRoot + // launch with mount namespace cfg.Namespaces = lconfigs.Namespaces{ {Type: lconfigs.NEWNS}, diff --git a/drivers/shared/executor/proto/executor.pb.go b/drivers/shared/executor/proto/executor.pb.go index d9a1f15a314f..544a36800069 100644 --- a/drivers/shared/executor/proto/executor.pb.go +++ b/drivers/shared/executor/proto/executor.pb.go @@ -39,6 +39,7 @@ type LaunchRequest struct { Mounts []*proto1.Mount `protobuf:"bytes,11,rep,name=mounts,proto3" json:"mounts,omitempty"` Devices []*proto1.Device `protobuf:"bytes,12,rep,name=devices,proto3" json:"devices,omitempty"` NetworkIsolation *proto1.NetworkIsolationSpec `protobuf:"bytes,13,opt,name=network_isolation,json=networkIsolation,proto3" json:"network_isolation,omitempty"` + NoPivotRoot bool `protobuf:"varint,14,opt,name=no_pivot_root,json=noPivotRoot,proto3" json:"no_pivot_root,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -48,7 +49,7 @@ func (m *LaunchRequest) Reset() { *m = LaunchRequest{} } func (m *LaunchRequest) String() string { return proto.CompactTextString(m) } func (*LaunchRequest) ProtoMessage() {} func (*LaunchRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{0} + return fileDescriptor_executor_cd718424b22c7ed3, []int{0} } func (m *LaunchRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_LaunchRequest.Unmarshal(m, b) @@ -159,6 +160,13 @@ func (m *LaunchRequest) GetNetworkIsolation() *proto1.NetworkIsolationSpec { return nil } +func (m *LaunchRequest) GetNoPivotRoot() bool { + if m != nil { + return m.NoPivotRoot + } + return false +} + type LaunchResponse struct { Process *ProcessState `protobuf:"bytes,1,opt,name=process,proto3" json:"process,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -170,7 +178,7 @@ func (m *LaunchResponse) Reset() { *m = LaunchResponse{} } func (m *LaunchResponse) String() string { return proto.CompactTextString(m) } func (*LaunchResponse) ProtoMessage() {} func (*LaunchResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{1} + return fileDescriptor_executor_cd718424b22c7ed3, []int{1} } func (m *LaunchResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_LaunchResponse.Unmarshal(m, b) @@ -207,7 +215,7 @@ func (m *WaitRequest) Reset() { *m = WaitRequest{} } func (m *WaitRequest) String() string { return proto.CompactTextString(m) } func (*WaitRequest) ProtoMessage() {} func (*WaitRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{2} + return fileDescriptor_executor_cd718424b22c7ed3, []int{2} } func (m *WaitRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_WaitRequest.Unmarshal(m, b) @@ -238,7 +246,7 @@ func (m *WaitResponse) Reset() { *m = WaitResponse{} } func (m *WaitResponse) String() string { return proto.CompactTextString(m) } func (*WaitResponse) ProtoMessage() {} func (*WaitResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{3} + return fileDescriptor_executor_cd718424b22c7ed3, []int{3} } func (m *WaitResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_WaitResponse.Unmarshal(m, b) @@ -277,7 +285,7 @@ func (m *ShutdownRequest) Reset() { *m = ShutdownRequest{} } func (m *ShutdownRequest) String() string { return proto.CompactTextString(m) } func (*ShutdownRequest) ProtoMessage() {} func (*ShutdownRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{4} + return fileDescriptor_executor_cd718424b22c7ed3, []int{4} } func (m *ShutdownRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ShutdownRequest.Unmarshal(m, b) @@ -321,7 +329,7 @@ func (m *ShutdownResponse) Reset() { *m = ShutdownResponse{} } func (m *ShutdownResponse) String() string { return proto.CompactTextString(m) } func (*ShutdownResponse) ProtoMessage() {} func (*ShutdownResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{5} + return fileDescriptor_executor_cd718424b22c7ed3, []int{5} } func (m *ShutdownResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ShutdownResponse.Unmarshal(m, b) @@ -352,7 +360,7 @@ func (m *UpdateResourcesRequest) Reset() { *m = UpdateResourcesRequest{} func (m *UpdateResourcesRequest) String() string { return proto.CompactTextString(m) } func (*UpdateResourcesRequest) ProtoMessage() {} func (*UpdateResourcesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{6} + return fileDescriptor_executor_cd718424b22c7ed3, []int{6} } func (m *UpdateResourcesRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_UpdateResourcesRequest.Unmarshal(m, b) @@ -389,7 +397,7 @@ func (m *UpdateResourcesResponse) Reset() { *m = UpdateResourcesResponse func (m *UpdateResourcesResponse) String() string { return proto.CompactTextString(m) } func (*UpdateResourcesResponse) ProtoMessage() {} func (*UpdateResourcesResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{7} + return fileDescriptor_executor_cd718424b22c7ed3, []int{7} } func (m *UpdateResourcesResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_UpdateResourcesResponse.Unmarshal(m, b) @@ -419,7 +427,7 @@ func (m *VersionRequest) Reset() { *m = VersionRequest{} } func (m *VersionRequest) String() string { return proto.CompactTextString(m) } func (*VersionRequest) ProtoMessage() {} func (*VersionRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{8} + return fileDescriptor_executor_cd718424b22c7ed3, []int{8} } func (m *VersionRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_VersionRequest.Unmarshal(m, b) @@ -450,7 +458,7 @@ func (m *VersionResponse) Reset() { *m = VersionResponse{} } func (m *VersionResponse) String() string { return proto.CompactTextString(m) } func (*VersionResponse) ProtoMessage() {} func (*VersionResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{9} + return fileDescriptor_executor_cd718424b22c7ed3, []int{9} } func (m *VersionResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_VersionResponse.Unmarshal(m, b) @@ -488,7 +496,7 @@ func (m *StatsRequest) Reset() { *m = StatsRequest{} } func (m *StatsRequest) String() string { return proto.CompactTextString(m) } func (*StatsRequest) ProtoMessage() {} func (*StatsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{10} + return fileDescriptor_executor_cd718424b22c7ed3, []int{10} } func (m *StatsRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StatsRequest.Unmarshal(m, b) @@ -526,7 +534,7 @@ func (m *StatsResponse) Reset() { *m = StatsResponse{} } func (m *StatsResponse) String() string { return proto.CompactTextString(m) } func (*StatsResponse) ProtoMessage() {} func (*StatsResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{11} + return fileDescriptor_executor_cd718424b22c7ed3, []int{11} } func (m *StatsResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StatsResponse.Unmarshal(m, b) @@ -564,7 +572,7 @@ func (m *SignalRequest) Reset() { *m = SignalRequest{} } func (m *SignalRequest) String() string { return proto.CompactTextString(m) } func (*SignalRequest) ProtoMessage() {} func (*SignalRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{12} + return fileDescriptor_executor_cd718424b22c7ed3, []int{12} } func (m *SignalRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SignalRequest.Unmarshal(m, b) @@ -601,7 +609,7 @@ func (m *SignalResponse) Reset() { *m = SignalResponse{} } func (m *SignalResponse) String() string { return proto.CompactTextString(m) } func (*SignalResponse) ProtoMessage() {} func (*SignalResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{13} + return fileDescriptor_executor_cd718424b22c7ed3, []int{13} } func (m *SignalResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SignalResponse.Unmarshal(m, b) @@ -634,7 +642,7 @@ func (m *ExecRequest) Reset() { *m = ExecRequest{} } func (m *ExecRequest) String() string { return proto.CompactTextString(m) } func (*ExecRequest) ProtoMessage() {} func (*ExecRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{14} + return fileDescriptor_executor_cd718424b22c7ed3, []int{14} } func (m *ExecRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ExecRequest.Unmarshal(m, b) @@ -687,7 +695,7 @@ func (m *ExecResponse) Reset() { *m = ExecResponse{} } func (m *ExecResponse) String() string { return proto.CompactTextString(m) } func (*ExecResponse) ProtoMessage() {} func (*ExecResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{15} + return fileDescriptor_executor_cd718424b22c7ed3, []int{15} } func (m *ExecResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ExecResponse.Unmarshal(m, b) @@ -735,7 +743,7 @@ func (m *ProcessState) Reset() { *m = ProcessState{} } func (m *ProcessState) String() string { return proto.CompactTextString(m) } func (*ProcessState) ProtoMessage() {} func (*ProcessState) Descriptor() ([]byte, []int) { - return fileDescriptor_executor_43dc81e71868eb7b, []int{16} + return fileDescriptor_executor_cd718424b22c7ed3, []int{16} } func (m *ProcessState) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ProcessState.Unmarshal(m, b) @@ -1200,69 +1208,71 @@ var _Executor_serviceDesc = grpc.ServiceDesc{ } func init() { - proto.RegisterFile("drivers/shared/executor/proto/executor.proto", fileDescriptor_executor_43dc81e71868eb7b) + proto.RegisterFile("drivers/shared/executor/proto/executor.proto", fileDescriptor_executor_cd718424b22c7ed3) } -var fileDescriptor_executor_43dc81e71868eb7b = []byte{ - // 955 bytes of a gzipped FileDescriptorProto +var fileDescriptor_executor_cd718424b22c7ed3 = []byte{ + // 977 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x5b, 0x6f, 0x1b, 0x45, 0x14, 0xee, 0xc6, 0xf1, 0xed, 0xd8, 0x4e, 0xcc, 0x08, 0x85, 0xad, 0x79, 0xa8, 0xd9, 0x07, 0x6a, 0x41, 0x59, 0x47, 0xe9, 0x0d, 0x09, 0x41, 0x11, 0x49, 0x41, 0x48, 0x21, 0x8a, 0xd6, 0x85, 0x4a, - 0x3c, 0x60, 0x26, 0xbb, 0xc3, 0xee, 0x28, 0xf6, 0xce, 0x32, 0x33, 0xeb, 0x06, 0x09, 0x89, 0x27, - 0xfe, 0x01, 0x48, 0xfc, 0x38, 0x7e, 0x0c, 0x9a, 0xdb, 0xc6, 0x4e, 0x4b, 0xb5, 0x2e, 0xe2, 0xc9, - 0x33, 0x67, 0xcf, 0xf7, 0x9d, 0xcb, 0x9c, 0xf3, 0x19, 0xee, 0x25, 0x9c, 0xae, 0x08, 0x17, 0x53, - 0x91, 0x61, 0x4e, 0x92, 0x29, 0xb9, 0x22, 0x71, 0x29, 0x19, 0x9f, 0x16, 0x9c, 0x49, 0x56, 0x5d, - 0x43, 0x7d, 0x45, 0xef, 0x67, 0x58, 0x64, 0x34, 0x66, 0xbc, 0x08, 0x73, 0xb6, 0xc4, 0x49, 0x58, - 0x2c, 0xca, 0x94, 0xe6, 0x22, 0xdc, 0xf4, 0x1b, 0xdd, 0x49, 0x19, 0x4b, 0x17, 0xc4, 0x90, 0x5c, - 0x94, 0x3f, 0x4d, 0x25, 0x5d, 0x12, 0x21, 0xf1, 0xb2, 0xb0, 0x0e, 0x9f, 0xa6, 0x54, 0x66, 0xe5, - 0x45, 0x18, 0xb3, 0xe5, 0xb4, 0xe2, 0x9c, 0x6a, 0xce, 0xa9, 0xe5, 0x9c, 0xba, 0xcc, 0x4c, 0x26, - 0xe6, 0x66, 0xe0, 0xc1, 0xdf, 0xbb, 0x30, 0x38, 0xc5, 0x65, 0x1e, 0x67, 0x11, 0xf9, 0xb9, 0x24, - 0x42, 0xa2, 0x21, 0x34, 0xe2, 0x65, 0xe2, 0x7b, 0x63, 0x6f, 0xd2, 0x8d, 0xd4, 0x11, 0x21, 0xd8, - 0xc5, 0x3c, 0x15, 0xfe, 0xce, 0xb8, 0x31, 0xe9, 0x46, 0xfa, 0x8c, 0xce, 0xa0, 0xcb, 0x89, 0x60, - 0x25, 0x8f, 0x89, 0xf0, 0x1b, 0x63, 0x6f, 0xd2, 0x3b, 0x3a, 0x0c, 0xff, 0xad, 0x26, 0x1b, 0xdf, - 0x84, 0x0c, 0x23, 0x87, 0x8b, 0xae, 0x29, 0xd0, 0x1d, 0xe8, 0x09, 0x99, 0xb0, 0x52, 0xce, 0x0b, - 0x2c, 0x33, 0x7f, 0x57, 0x47, 0x07, 0x63, 0x3a, 0xc7, 0x32, 0xb3, 0x0e, 0x84, 0x73, 0xe3, 0xd0, - 0xac, 0x1c, 0x08, 0xe7, 0xda, 0x61, 0x08, 0x0d, 0x92, 0xaf, 0xfc, 0x96, 0x4e, 0x52, 0x1d, 0x55, - 0xde, 0xa5, 0x20, 0xdc, 0x6f, 0x6b, 0x5f, 0x7d, 0x46, 0xb7, 0xa1, 0x23, 0xb1, 0xb8, 0x9c, 0x27, - 0x94, 0xfb, 0x1d, 0x6d, 0x6f, 0xab, 0xfb, 0x09, 0xe5, 0xe8, 0x2e, 0xec, 0xbb, 0x7c, 0xe6, 0x0b, - 0xba, 0xa4, 0x52, 0xf8, 0xdd, 0xb1, 0x37, 0xe9, 0x44, 0x7b, 0xce, 0x7c, 0xaa, 0xad, 0xe8, 0x10, - 0xde, 0xbe, 0xc0, 0x82, 0xc6, 0xf3, 0x82, 0xb3, 0x98, 0x08, 0x31, 0x8f, 0x53, 0xce, 0xca, 0xc2, - 0x07, 0xed, 0x8d, 0xf4, 0xb7, 0x73, 0xf3, 0xe9, 0x58, 0x7f, 0x41, 0x27, 0xd0, 0x5a, 0xb2, 0x32, - 0x97, 0xc2, 0xef, 0x8d, 0x1b, 0x93, 0xde, 0xd1, 0xbd, 0x9a, 0xad, 0xfa, 0x46, 0x81, 0x22, 0x8b, - 0x45, 0x5f, 0x41, 0x3b, 0x21, 0x2b, 0xaa, 0x3a, 0xde, 0xd7, 0x34, 0x1f, 0xd5, 0xa4, 0x39, 0xd1, - 0xa8, 0xc8, 0xa1, 0x51, 0x06, 0x6f, 0xe5, 0x44, 0xbe, 0x60, 0xfc, 0x72, 0x4e, 0x05, 0x5b, 0x60, - 0x49, 0x59, 0xee, 0x0f, 0xf4, 0x23, 0x7e, 0x52, 0x93, 0xf2, 0xcc, 0xe0, 0xbf, 0x76, 0xf0, 0x59, - 0x41, 0xe2, 0x68, 0x98, 0xdf, 0xb0, 0x06, 0x3f, 0xc2, 0x9e, 0x9b, 0x2e, 0x51, 0xb0, 0x5c, 0x10, - 0x74, 0x06, 0x6d, 0xdb, 0x36, 0x3d, 0x62, 0xbd, 0xa3, 0x07, 0x61, 0xbd, 0x55, 0x08, 0x6d, 0x4b, - 0x67, 0x12, 0x4b, 0x12, 0x39, 0x92, 0x60, 0x00, 0xbd, 0xe7, 0x98, 0x4a, 0x3b, 0xbd, 0xc1, 0x0f, - 0xd0, 0x37, 0xd7, 0xff, 0x29, 0xdc, 0x29, 0xec, 0xcf, 0xb2, 0x52, 0x26, 0xec, 0x45, 0xee, 0x16, - 0xe6, 0x00, 0x5a, 0x82, 0xa6, 0x39, 0x5e, 0xd8, 0x9d, 0xb1, 0x37, 0xf4, 0x1e, 0xf4, 0x53, 0x8e, - 0x63, 0x32, 0x2f, 0x08, 0xa7, 0x2c, 0xf1, 0x77, 0xc6, 0xde, 0xa4, 0x11, 0xf5, 0xb4, 0xed, 0x5c, - 0x9b, 0x02, 0x04, 0xc3, 0x6b, 0x36, 0x93, 0x71, 0x90, 0xc1, 0xc1, 0xb7, 0x45, 0xa2, 0x82, 0x56, - 0x7b, 0x62, 0x03, 0x6d, 0xec, 0x9c, 0xf7, 0x9f, 0x77, 0x2e, 0xb8, 0x0d, 0xef, 0xbc, 0x14, 0xc9, - 0x26, 0x31, 0x84, 0xbd, 0xef, 0x08, 0x17, 0x94, 0xb9, 0x2a, 0x83, 0x0f, 0x61, 0xbf, 0xb2, 0xd8, - 0xde, 0xfa, 0xd0, 0x5e, 0x19, 0x93, 0xad, 0xdc, 0x5d, 0x83, 0x0f, 0xa0, 0xaf, 0xfa, 0x56, 0x65, - 0x3e, 0x82, 0x0e, 0xcd, 0x25, 0xe1, 0x2b, 0xdb, 0xa4, 0x46, 0x54, 0xdd, 0x83, 0xe7, 0x30, 0xb0, - 0xbe, 0x96, 0xf6, 0x4b, 0x68, 0x0a, 0x65, 0xd8, 0xb2, 0xc4, 0x67, 0x58, 0x5c, 0x1a, 0x22, 0x03, - 0x0f, 0xee, 0xc2, 0x60, 0xa6, 0x5f, 0xe2, 0xd5, 0x0f, 0xd5, 0x74, 0x0f, 0xa5, 0x8a, 0x75, 0x8e, - 0xb6, 0xfc, 0x4b, 0xe8, 0x3d, 0xbd, 0x22, 0xb1, 0x03, 0x3e, 0x82, 0x4e, 0x42, 0x70, 0xb2, 0xa0, - 0x39, 0xb1, 0x49, 0x8d, 0x42, 0xa3, 0xcb, 0xa1, 0xd3, 0xe5, 0xf0, 0x99, 0xd3, 0xe5, 0xa8, 0xf2, - 0x75, 0x52, 0xba, 0xf3, 0xb2, 0x94, 0x36, 0xae, 0xa5, 0x34, 0x38, 0x86, 0xbe, 0x09, 0x66, 0xeb, - 0x3f, 0x80, 0x16, 0x2b, 0x65, 0x51, 0x4a, 0x1d, 0xab, 0x1f, 0xd9, 0x1b, 0x7a, 0x17, 0xba, 0xe4, - 0x8a, 0xca, 0x79, 0xcc, 0x12, 0xa2, 0x39, 0x9b, 0x51, 0x47, 0x19, 0x8e, 0x59, 0x42, 0x82, 0xdf, - 0x3d, 0xe8, 0xaf, 0x4f, 0xac, 0x8a, 0x5d, 0xd0, 0xc4, 0x56, 0xaa, 0x8e, 0xaf, 0xc5, 0xaf, 0xf5, - 0xa6, 0xb1, 0xde, 0x1b, 0x14, 0xc2, 0xae, 0xfa, 0xc7, 0xd1, 0x82, 0xfc, 0xfa, 0xb2, 0xb5, 0xdf, - 0xd1, 0x9f, 0x5d, 0xe8, 0x3c, 0xb5, 0x8b, 0x84, 0x7e, 0x81, 0x96, 0xd9, 0x7e, 0xf4, 0xb0, 0xee, - 0xd6, 0x6d, 0xfc, 0x17, 0x8d, 0x1e, 0x6d, 0x0b, 0xb3, 0xef, 0x77, 0x0b, 0x09, 0xd8, 0x55, 0x3a, - 0x80, 0xee, 0xd7, 0x65, 0x58, 0x13, 0x91, 0xd1, 0x83, 0xed, 0x40, 0x55, 0xd0, 0xdf, 0xa0, 0xe3, - 0xd6, 0x19, 0x3d, 0xae, 0xcb, 0x71, 0x43, 0x4e, 0x46, 0x1f, 0x6f, 0x0f, 0xac, 0x12, 0xf8, 0xc3, - 0x83, 0xfd, 0x1b, 0x2b, 0x8d, 0x3e, 0xab, 0xcb, 0xf7, 0x6a, 0xd5, 0x19, 0x3d, 0x79, 0x63, 0x7c, - 0x95, 0xd6, 0xaf, 0xd0, 0xb6, 0xda, 0x81, 0x6a, 0xbf, 0xe8, 0xa6, 0xfc, 0x8c, 0x1e, 0x6f, 0x8d, - 0xab, 0xa2, 0x5f, 0x41, 0x53, 0xeb, 0x02, 0xaa, 0xfd, 0xac, 0xeb, 0xda, 0x35, 0x7a, 0xb8, 0x25, - 0xca, 0xc5, 0x3d, 0xf4, 0xd4, 0xfc, 0x1b, 0x61, 0xa9, 0x3f, 0xff, 0x1b, 0x8a, 0x55, 0x7f, 0xfe, - 0x6f, 0xe8, 0x97, 0x9e, 0x7f, 0xb5, 0x86, 0xf5, 0xe7, 0x7f, 0x4d, 0xef, 0xea, 0xcf, 0xff, 0xba, - 0x6e, 0x05, 0xb7, 0xd0, 0x5f, 0x1e, 0x0c, 0x94, 0x69, 0x26, 0x39, 0xc1, 0x4b, 0x9a, 0xa7, 0xe8, - 0x49, 0x4d, 0xf1, 0x56, 0x28, 0x23, 0xe0, 0x16, 0xe9, 0x52, 0xf9, 0xfc, 0xcd, 0x09, 0x5c, 0x5a, - 0x13, 0xef, 0xd0, 0xfb, 0xa2, 0xfd, 0x7d, 0xd3, 0x68, 0x56, 0x4b, 0xff, 0xdc, 0xff, 0x27, 0x00, - 0x00, 0xff, 0xff, 0xad, 0xfe, 0x69, 0xb2, 0xaf, 0x0b, 0x00, 0x00, + 0x3c, 0xb0, 0x4c, 0x76, 0x07, 0xef, 0x28, 0xf6, 0xce, 0x32, 0x33, 0xeb, 0x06, 0x09, 0x09, 0x5e, + 0xf8, 0x07, 0x20, 0xf1, 0x73, 0xd1, 0xdc, 0x36, 0x76, 0x5a, 0xaa, 0x75, 0x11, 0x4f, 0x9e, 0x39, + 0x7b, 0xbe, 0xef, 0x5c, 0xe6, 0x9c, 0xcf, 0x70, 0x2f, 0xe5, 0x74, 0x45, 0xb8, 0x98, 0x8a, 0x0c, + 0x73, 0x92, 0x4e, 0xc9, 0x15, 0x49, 0x4a, 0xc9, 0xf8, 0xb4, 0xe0, 0x4c, 0xb2, 0xea, 0x1a, 0xea, + 0x2b, 0x7a, 0x3f, 0xc3, 0x22, 0xa3, 0x09, 0xe3, 0x45, 0x98, 0xb3, 0x25, 0x4e, 0xc3, 0x62, 0x51, + 0xce, 0x69, 0x2e, 0xc2, 0x4d, 0xbf, 0xd1, 0x9d, 0x39, 0x63, 0xf3, 0x05, 0x31, 0x24, 0x17, 0xe5, + 0x4f, 0x53, 0x49, 0x97, 0x44, 0x48, 0xbc, 0x2c, 0xac, 0xc3, 0xa7, 0x73, 0x2a, 0xb3, 0xf2, 0x22, + 0x4c, 0xd8, 0x72, 0x5a, 0x71, 0x4e, 0x35, 0xe7, 0xd4, 0x72, 0x4e, 0x5d, 0x66, 0x26, 0x13, 0x73, + 0x33, 0xf0, 0xe0, 0xf7, 0x26, 0x0c, 0x4e, 0x71, 0x99, 0x27, 0x59, 0x44, 0x7e, 0x2e, 0x89, 0x90, + 0x68, 0x08, 0x8d, 0x64, 0x99, 0xfa, 0xde, 0xd8, 0x9b, 0x74, 0x23, 0x75, 0x44, 0x08, 0x76, 0x31, + 0x9f, 0x0b, 0x7f, 0x67, 0xdc, 0x98, 0x74, 0x23, 0x7d, 0x46, 0x67, 0xd0, 0xe5, 0x44, 0xb0, 0x92, + 0x27, 0x44, 0xf8, 0x8d, 0xb1, 0x37, 0xe9, 0x1d, 0x1d, 0x86, 0xff, 0x56, 0x93, 0x8d, 0x6f, 0x42, + 0x86, 0x91, 0xc3, 0x45, 0xd7, 0x14, 0xe8, 0x0e, 0xf4, 0x84, 0x4c, 0x59, 0x29, 0xe3, 0x02, 0xcb, + 0xcc, 0xdf, 0xd5, 0xd1, 0xc1, 0x98, 0xce, 0xb1, 0xcc, 0xac, 0x03, 0xe1, 0xdc, 0x38, 0x34, 0x2b, + 0x07, 0xc2, 0xb9, 0x76, 0x18, 0x42, 0x83, 0xe4, 0x2b, 0xbf, 0xa5, 0x93, 0x54, 0x47, 0x95, 0x77, + 0x29, 0x08, 0xf7, 0xdb, 0xda, 0x57, 0x9f, 0xd1, 0x6d, 0xe8, 0x48, 0x2c, 0x2e, 0xe3, 0x94, 0x72, + 0xbf, 0xa3, 0xed, 0x6d, 0x75, 0x3f, 0xa1, 0x1c, 0xdd, 0x85, 0x7d, 0x97, 0x4f, 0xbc, 0xa0, 0x4b, + 0x2a, 0x85, 0xdf, 0x1d, 0x7b, 0x93, 0x4e, 0xb4, 0xe7, 0xcc, 0xa7, 0xda, 0x8a, 0x0e, 0xe1, 0xed, + 0x0b, 0x2c, 0x68, 0x12, 0x17, 0x9c, 0x25, 0x44, 0x88, 0x38, 0x99, 0x73, 0x56, 0x16, 0x3e, 0x68, + 0x6f, 0xa4, 0xbf, 0x9d, 0x9b, 0x4f, 0xc7, 0xfa, 0x0b, 0x3a, 0x81, 0xd6, 0x92, 0x95, 0xb9, 0x14, + 0x7e, 0x6f, 0xdc, 0x98, 0xf4, 0x8e, 0xee, 0xd5, 0x6c, 0xd5, 0x37, 0x0a, 0x14, 0x59, 0x2c, 0xfa, + 0x0a, 0xda, 0x29, 0x59, 0x51, 0xd5, 0xf1, 0xbe, 0xa6, 0xf9, 0xa8, 0x26, 0xcd, 0x89, 0x46, 0x45, + 0x0e, 0x8d, 0x32, 0x78, 0x2b, 0x27, 0xf2, 0x05, 0xe3, 0x97, 0x31, 0x15, 0x6c, 0x81, 0x25, 0x65, + 0xb9, 0x3f, 0xd0, 0x8f, 0xf8, 0x49, 0x4d, 0xca, 0x33, 0x83, 0xff, 0xda, 0xc1, 0x67, 0x05, 0x49, + 0xa2, 0x61, 0x7e, 0xc3, 0x8a, 0x02, 0x18, 0xe4, 0x2c, 0x2e, 0xe8, 0x8a, 0xc9, 0x98, 0x33, 0x26, + 0xfd, 0x3d, 0xdd, 0xa3, 0x5e, 0xce, 0xce, 0x95, 0x2d, 0x62, 0x4c, 0x06, 0x3f, 0xc2, 0x9e, 0x9b, + 0x40, 0x51, 0xb0, 0x5c, 0x10, 0x74, 0x06, 0x6d, 0xdb, 0x5a, 0x3d, 0x86, 0xbd, 0xa3, 0x07, 0x61, + 0xbd, 0x75, 0x09, 0x6d, 0xdb, 0x67, 0x12, 0x4b, 0x12, 0x39, 0x92, 0x60, 0x00, 0xbd, 0xe7, 0x98, + 0x4a, 0x3b, 0xe1, 0xc1, 0x0f, 0xd0, 0x37, 0xd7, 0xff, 0x29, 0xdc, 0x29, 0xec, 0xcf, 0xb2, 0x52, + 0xa6, 0xec, 0x45, 0xee, 0x96, 0xea, 0x00, 0x5a, 0x82, 0xce, 0x73, 0xbc, 0xb0, 0x7b, 0x65, 0x6f, + 0xe8, 0x3d, 0xe8, 0xcf, 0x39, 0x4e, 0x48, 0x5c, 0x10, 0x4e, 0x59, 0xea, 0xef, 0x8c, 0xbd, 0x49, + 0x23, 0xea, 0x69, 0xdb, 0xb9, 0x36, 0x05, 0x08, 0x86, 0xd7, 0x6c, 0x26, 0xe3, 0x20, 0x83, 0x83, + 0x6f, 0x8b, 0x54, 0x05, 0xad, 0x76, 0xc9, 0x06, 0xda, 0xd8, 0x4b, 0xef, 0x3f, 0xef, 0x65, 0x70, + 0x1b, 0xde, 0x79, 0x29, 0x92, 0x4d, 0x62, 0x08, 0x7b, 0xdf, 0x11, 0x2e, 0x28, 0x73, 0x55, 0x06, + 0x1f, 0xc2, 0x7e, 0x65, 0xb1, 0xbd, 0xf5, 0xa1, 0xbd, 0x32, 0x26, 0x5b, 0xb9, 0xbb, 0x06, 0x1f, + 0x40, 0x5f, 0xf5, 0xad, 0xca, 0x7c, 0x04, 0x1d, 0x9a, 0x4b, 0xc2, 0x57, 0xb6, 0x49, 0x8d, 0xa8, + 0xba, 0x07, 0xcf, 0x61, 0x60, 0x7d, 0x2d, 0xed, 0x97, 0xd0, 0x14, 0xca, 0xb0, 0x65, 0x89, 0xcf, + 0xb0, 0xb8, 0x34, 0x44, 0x06, 0x1e, 0xdc, 0x85, 0xc1, 0x4c, 0xbf, 0xc4, 0xab, 0x1f, 0xaa, 0xe9, + 0x1e, 0x4a, 0x15, 0xeb, 0x1c, 0x6d, 0xf9, 0x97, 0xd0, 0x7b, 0x7a, 0x45, 0x12, 0x07, 0x7c, 0x04, + 0x9d, 0x94, 0xe0, 0x74, 0x41, 0x73, 0x62, 0x93, 0x1a, 0x85, 0x46, 0xbb, 0x43, 0xa7, 0xdd, 0xe1, + 0x33, 0xa7, 0xdd, 0x51, 0xe5, 0xeb, 0xe4, 0x76, 0xe7, 0x65, 0xb9, 0x6d, 0x5c, 0xcb, 0x6d, 0x70, + 0x0c, 0x7d, 0x13, 0xcc, 0xd6, 0x7f, 0x00, 0x2d, 0x56, 0xca, 0xa2, 0x94, 0x3a, 0x56, 0x3f, 0xb2, + 0x37, 0xf4, 0x2e, 0x74, 0xc9, 0x15, 0x95, 0x71, 0xc2, 0x52, 0xa2, 0x39, 0x9b, 0x51, 0x47, 0x19, + 0x8e, 0x59, 0x4a, 0x82, 0x3f, 0x3c, 0xe8, 0xaf, 0x4f, 0xac, 0x8a, 0x5d, 0xd0, 0xd4, 0x56, 0xaa, + 0x8e, 0xaf, 0xc5, 0xaf, 0xf5, 0xa6, 0xb1, 0xde, 0x1b, 0x14, 0xc2, 0xae, 0xfa, 0x57, 0xd2, 0xa2, + 0xfd, 0xfa, 0xb2, 0xb5, 0xdf, 0xd1, 0x5f, 0x5d, 0xe8, 0x3c, 0xb5, 0x8b, 0x84, 0x7e, 0x81, 0x96, + 0xd9, 0x7e, 0xf4, 0xb0, 0xee, 0xd6, 0x6d, 0xfc, 0x5f, 0x8d, 0x1e, 0x6d, 0x0b, 0xb3, 0xef, 0x77, + 0x0b, 0x09, 0xd8, 0x55, 0x3a, 0x80, 0xee, 0xd7, 0x65, 0x58, 0x13, 0x91, 0xd1, 0x83, 0xed, 0x40, + 0x55, 0xd0, 0xdf, 0xa0, 0xe3, 0xd6, 0x19, 0x3d, 0xae, 0xcb, 0x71, 0x43, 0x4e, 0x46, 0x1f, 0x6f, + 0x0f, 0xac, 0x12, 0xf8, 0xd3, 0x83, 0xfd, 0x1b, 0x2b, 0x8d, 0x3e, 0xab, 0xcb, 0xf7, 0x6a, 0xd5, + 0x19, 0x3d, 0x79, 0x63, 0x7c, 0x95, 0xd6, 0xaf, 0xd0, 0xb6, 0xda, 0x81, 0x6a, 0xbf, 0xe8, 0xa6, + 0xfc, 0x8c, 0x1e, 0x6f, 0x8d, 0xab, 0xa2, 0x5f, 0x41, 0x53, 0xeb, 0x02, 0xaa, 0xfd, 0xac, 0xeb, + 0xda, 0x35, 0x7a, 0xb8, 0x25, 0xca, 0xc5, 0x3d, 0xf4, 0xd4, 0xfc, 0x1b, 0x61, 0xa9, 0x3f, 0xff, + 0x1b, 0x8a, 0x55, 0x7f, 0xfe, 0x6f, 0xe8, 0x97, 0x9e, 0x7f, 0xb5, 0x86, 0xf5, 0xe7, 0x7f, 0x4d, + 0xef, 0xea, 0xcf, 0xff, 0xba, 0x6e, 0x05, 0xb7, 0xd0, 0xdf, 0x1e, 0x0c, 0x94, 0x69, 0x26, 0x39, + 0xc1, 0x4b, 0x9a, 0xcf, 0xd1, 0x93, 0x9a, 0xe2, 0xad, 0x50, 0x46, 0xc0, 0x2d, 0xd2, 0xa5, 0xf2, + 0xf9, 0x9b, 0x13, 0xb8, 0xb4, 0x26, 0xde, 0xa1, 0xf7, 0x45, 0xfb, 0xfb, 0xa6, 0xd1, 0xac, 0x96, + 0xfe, 0xb9, 0xff, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xe4, 0xda, 0xad, 0xd5, 0xd3, 0x0b, 0x00, + 0x00, } diff --git a/drivers/shared/executor/proto/executor.proto b/drivers/shared/executor/proto/executor.proto index 06bc1ff9144f..3a1f79a46b96 100644 --- a/drivers/shared/executor/proto/executor.proto +++ b/drivers/shared/executor/proto/executor.proto @@ -31,6 +31,7 @@ message LaunchRequest { repeated hashicorp.nomad.plugins.drivers.proto.Mount mounts = 11; repeated hashicorp.nomad.plugins.drivers.proto.Device devices = 12; hashicorp.nomad.plugins.drivers.proto.NetworkIsolationSpec network_isolation = 13; + bool no_pivot_root = 14; } message LaunchResponse { diff --git a/drivers/shared/executor/server.go b/drivers/shared/executor/server.go index 2b7f8e0e7e12..eb1edc838a3b 100644 --- a/drivers/shared/executor/server.go +++ b/drivers/shared/executor/server.go @@ -31,6 +31,7 @@ func (s *grpcExecutorServer) Launch(ctx context.Context, req *proto.LaunchReques TaskDir: req.TaskDir, ResourceLimits: req.ResourceLimits, BasicProcessCgroup: req.BasicProcessCgroup, + NoPivotRoot: req.NoPivotRoot, Mounts: drivers.MountsFromProto(req.Mounts), Devices: drivers.DevicesFromProto(req.Devices), NetworkIsolation: drivers.NetworkIsolationSpecFromProto(req.NetworkIsolation), diff --git a/website/pages/docs/drivers/exec.mdx b/website/pages/docs/drivers/exec.mdx index d33ca71e98f1..f414f1ee38ed 100644 --- a/website/pages/docs/drivers/exec.mdx +++ b/website/pages/docs/drivers/exec.mdx @@ -93,6 +93,13 @@ If you are receiving the error: and using the exec driver, check to ensure that you are running Nomad as root. This also applies for running Nomad in -dev mode. +## Plugin Options + +* `no_pivot_root` - Defaults to `false`. Changing this to `true` will pass the + `NoPivotRoot` configuration option to `libcontainer` which will fall back to + using the `msMoveRoot` function for isolation. This is useful for systems + where the root is on a ramdisk. + ## Client Attributes The `exec` driver will set the following client attributes: