backport of commit cdf483a

hashicorp · Mar 13, 2023 · f1ce164 · f1ce164
1 parent 7d77901
commit f1ce164
Show file tree

Hide file tree

Showing 73 changed files with 651 additions and 783 deletions.
diff --git a/.changelog/16099.txt b/.changelog/16099.txt
diff --git a/.changelog/16221.txt b/.changelog/16221.txt
diff --git a/.changelog/16243.txt b/.changelog/16243.txt
diff --git a/.changelog/16375.txt b/.changelog/16375.txt
diff --git a/.changelog/16434.txt b/.changelog/16434.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+plugin: Add missing fields to `TaskConfig` so they can be accessed by external task drivers
+```
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/api/agent.go b/api/agent.go
@@ -113,7 +113,7 @@ func (a *Agent) Region() (string, error) {
 
 // Join is used to instruct a server node to join another server
 // via the gossip protocol. Multiple addresses may be specified.
-// We attempt to join all the hosts in the list. Returns the
+// We attempt to join all of the hosts in the list. Returns the
 // number of nodes successfully joined and any error. If one or
 // more nodes have a successful result, no error is returned.
 func (a *Agent) Join(addrs ...string) (int, error) {

diff --git a/api/agent_test.go b/api/agent_test.go
@@ -1,15 +1,13 @@
 package api
 
 import (
-	"fmt"
 	"sort"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/hashicorp/nomad/api/internal/testutil"
 	"github.com/shoenig/test/must"
-	"github.com/shoenig/test/wait"
 )
 
 func TestAgent_Self(t *testing.T) {
@@ -112,43 +110,7 @@ func TestAgent_ForceLeave(t *testing.T) {
 	err := a.ForceLeave("nope")
 	must.NoError(t, err)
 
-	// Force-leave on an existing node
-	_, s2 := makeClient(t, nil, func(c *testutil.TestServerConfig) {
-		c.Server.BootstrapExpect = 0
-	})
-	defer s2.Stop()
-	// Create a new node to join
-	n, err := a.Join(s2.SerfAddr)
-	must.NoError(t, err)
-	must.One(t, n)
-
-	membersBefore, err := a.MembersOpts(&QueryOptions{})
-	must.Eq(t, membersBefore.Members[1].Status, "alive")
-
-	err = a.ForceLeave(membersBefore.Members[1].Name)
-	must.NoError(t, err)
-
-	time.Sleep(3 * time.Second)
-
-	f := func() error {
-		membersAfter, err := a.MembersOpts(&QueryOptions{})
-		if err != nil {
-			return err
-		}
-		for _, node := range membersAfter.Members {
-			if node.Name == membersBefore.Members[1].Name {
-				if node.Status != "leaving" {
-					return fmt.Errorf("node did not leave")
-				}
-			}
-		}
-		return nil
-	}
-	must.Wait(t, wait.InitialSuccess(
-		wait.ErrorFunc(f),
-		wait.Timeout(3*time.Second),
-		wait.Gap(100*time.Millisecond),
-	))
+	// TODO: test force-leave on an existing node
 }
 
 func (a *AgentMember) String() string {

diff --git a/api/go.mod b/api/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-rootcerts v1.0.2
 	github.com/mitchellh/go-testing-interface v1.14.1
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/shoenig/test v0.6.2
+	github.com/shoenig/test v0.6.1
 	golang.org/x/exp v0.0.0-20230108222341-4b8118a2686a
 )
 

diff --git a/api/go.sum b/api/go.sum
@@ -25,8 +25,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/shoenig/test v0.6.2 h1:tdq+WGnznwE5xcOMXkqqXuudK75RkSGBazBGcP1lX6w=
-github.com/shoenig/test v0.6.2/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/shoenig/test v0.6.1 h1:TVIih3yGvaH8Yci2OedB/NAhOC9UlNi5+ajCVyMPflg=
+github.com/shoenig/test v0.6.1/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

diff --git a/api/nodes.go b/api/nodes.go
@@ -35,7 +35,7 @@ func (c *Client) Nodes() *Nodes {
 	return &Nodes{client: c}
 }
 
-// List is used to list out all the nodes
+// List is used to list out all of the nodes
 func (n *Nodes) List(q *QueryOptions) ([]*NodeListStub, *QueryMeta, error) {
 	var resp NodeIndexSort
 	qm, err := n.client.query("/v1/nodes", &resp, q)

diff --git a/ci/skip_non_root.go b/ci/skip_non_root.go
diff --git a/client/allocrunner/taskrunner/artifact_hook_test.go b/client/allocrunner/taskrunner/artifact_hook_test.go
@@ -160,7 +160,6 @@ func TestTaskRunner_ArtifactHook_PartialDone(t *testing.T) {
 // TestTaskRunner_ArtifactHook_ConcurrentDownloadSuccess asserts that the artifact hook
 // download multiple files concurrently. this is a successful test without any errors.
 func TestTaskRunner_ArtifactHook_ConcurrentDownloadSuccess(t *testing.T) {
-	ci.SkipTestWithoutRootAccess(t)
 	t.Parallel()
 
 	me := &mockEmitter{}

diff --git a/client/allocrunner/taskrunner/getter/util_linux.go b/client/allocrunner/taskrunner/getter/util_linux.go
@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"syscall"
 
+	"github.com/hashicorp/nomad/helper/users"
 	"github.com/shoenig/go-landlock"
 )
 
@@ -36,10 +37,16 @@ func attributes() *syscall.SysProcAttr {
 }
 
 // credentials returns the UID and GID of the user the child process
-// will run as - for now this is always the same user the Nomad agent is
-// running as.
+// will run as. On Linux systems this will be the nobody user if Nomad
+// is being run as the root user, or the user Nomad is being run as
+// otherwise.
 func credentials() (uint32, uint32) {
-	return userUID, userGID
+	switch userUID {
+	case 0:
+		return users.NobodyIDs()
+	default:
+		return userUID, userGID
+	}
 }
 
 // defaultEnvironment is the default minimal environment variables for Linux.

diff --git a/client/allocrunner/taskrunner/task_runner_test.go b/client/allocrunner/taskrunner/task_runner_test.go
@@ -1729,7 +1729,6 @@ func TestTaskRunner_DeriveToken_Unrecoverable(t *testing.T) {
 // TestTaskRunner_Download_RawExec asserts that downloaded artifacts may be
 // executed in a driver without filesystem isolation.
 func TestTaskRunner_Download_RawExec(t *testing.T) {
-	ci.SkipTestWithoutRootAccess(t)
 	ci.Parallel(t)
 
 	ts := httptest.NewServer(http.FileServer(http.Dir(filepath.Dir("."))))

diff --git a/command/job_plan.go b/command/job_plan.go
@@ -262,10 +262,6 @@ func (c *JobPlanCommand) Run(args []string) int {
 		runArgs.WriteString(fmt.Sprintf("-var-file=%q ", varFile))
 	}
 
-	if c.namespace != "" {
-		runArgs.WriteString(fmt.Sprintf("-namespace=%q ", c.namespace))
-	}
-
 	exitCode := c.outputPlannedJob(job, resp, diff, verbose)
 	c.Ui.Output(c.Colorize().Color(formatJobModifyIndex(resp.JobModifyIndex, runArgs.String(), path)))
 	return exitCode

diff --git a/command/operator_raft_list.go b/command/operator_raft_list.go
@@ -2,7 +2,6 @@ package command
 
 import (
 	"fmt"
-	"sort"
 	"strings"
 
 	"github.com/hashicorp/nomad/api"
@@ -85,10 +84,6 @@ func (c *OperatorRaftListCommand) Run(args []string) int {
 
 	// Format it as a nice table.
 	result := []string{"Node|ID|Address|State|Voter|RaftProtocol"}
-	sort.Slice(reply.Servers, func(i, j int) bool {
-		return reply.Servers[i].Node < reply.Servers[j].Node
-	})
-
 	for _, s := range reply.Servers {
 		state := "follower"
 		if s.Leader {

diff --git a/drivers/docker/driver.go b/drivers/docker/driver.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"os"
 	"path/filepath"
@@ -804,7 +805,7 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
 			}
 		}
 		if con[0] == "seccomp" && con[1] != "unconfined" {
-			f, err := os.ReadFile(con[1])
+			f, err := ioutil.ReadFile(con[1])
 			if err != nil {
 				return securityOpts, fmt.Errorf("opening seccomp profile (%s) failed: %v", con[1], err)
 			}

diff --git a/drivers/docker/driver_linux_test.go b/drivers/docker/driver_linux_test.go
@@ -4,6 +4,7 @@ package docker
 
 import (
 	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -24,7 +25,7 @@ func TestDockerDriver_authFromHelper(t *testing.T) {
 	helperContent := []byte(fmt.Sprintf("#!/bin/sh\ncat > %s/helper-$1.out;echo '%s'", dir, helperPayload))
 
 	helperFile := filepath.Join(dir, "docker-credential-testnomad")
-	err := os.WriteFile(helperFile, helperContent, 0777)
+	err := ioutil.WriteFile(helperFile, helperContent, 0777)
 	require.NoError(t, err)
 
 	path := os.Getenv("PATH")
@@ -40,7 +41,7 @@ func TestDockerDriver_authFromHelper(t *testing.T) {
 	if _, err := os.Stat(filepath.Join(dir, "helper-get.out")); os.IsNotExist(err) {
 		t.Fatalf("Expected helper-get.out to exist")
 	}
-	content, err := os.ReadFile(filepath.Join(dir, "helper-get.out"))
+	content, err := ioutil.ReadFile(filepath.Join(dir, "helper-get.out"))
 	require.NoError(t, err)
 	require.Equal(t, "registry.local:5000", string(content))
 }
@@ -86,7 +87,7 @@ func TestDockerDriver_PidsLimit(t *testing.T) {
 	outputFile := filepath.Join(task.TaskDir().LogDir, "redis-demo.stderr.0")
 	exp := "can't fork"
 	tu.WaitForResult(func() (bool, error) {
-		act, err := os.ReadFile(outputFile)
+		act, err := ioutil.ReadFile(outputFile)
 		if err != nil {
 			return false, err
 		}

diff --git a/drivers/docker/driver_test.go b/drivers/docker/driver_test.go
@@ -3,8 +3,8 @@ package docker
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
 	"math/rand"
-	"os"
 	"path/filepath"
 	"reflect"
 	"runtime"
@@ -397,7 +397,7 @@ func TestDockerDriver_Start_LoadImage(t *testing.T) {
 
 	// Check that data was written to the shared alloc directory.
 	outputFile := filepath.Join(task.TaskDir().LocalDir, "output")
-	act, err := os.ReadFile(outputFile)
+	act, err := ioutil.ReadFile(outputFile)
 	if err != nil {
 		t.Fatalf("Couldn't read expected output: %v", err)
 	}
@@ -524,7 +524,7 @@ func TestDockerDriver_Start_Wait_AllocDir(t *testing.T) {
 
 	// Check that data was written to the shared alloc directory.
 	outputFile := filepath.Join(task.TaskDir().SharedAllocDir, file)
-	act, err := os.ReadFile(outputFile)
+	act, err := ioutil.ReadFile(outputFile)
 	if err != nil {
 		t.Fatalf("Couldn't read expected output: %v", err)
 	}
@@ -2143,7 +2143,7 @@ func TestDockerDriver_VolumesDisabled(t *testing.T) {
 			t.Fatalf("timeout")
 		}
 
-		if _, err := os.ReadFile(filepath.Join(task.TaskDir().Dir, fn)); err != nil {
+		if _, err := ioutil.ReadFile(filepath.Join(task.TaskDir().Dir, fn)); err != nil {
 			t.Fatalf("unexpected error reading %s: %v", fn, err)
 		}
 	}
@@ -2201,7 +2201,7 @@ func TestDockerDriver_VolumesEnabled(t *testing.T) {
 		t.Fatalf("timeout")
 	}
 
-	if _, err := os.ReadFile(hostpath); err != nil {
+	if _, err := ioutil.ReadFile(hostpath); err != nil {
 		t.Fatalf("unexpected error reading %s: %v", hostpath, err)
 	}
 }

diff --git a/drivers/exec/driver_test.go b/drivers/exec/driver_test.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -352,7 +353,7 @@ func TestExecDriver_NoOrphans(t *testing.T) {
 			return false, fmt.Errorf("task PID is zero")
 		}
 
-		children, err := os.ReadFile(fmt.Sprintf("/proc/%d/task/%d/children", taskState.Pid, taskState.Pid))
+		children, err := ioutil.ReadFile(fmt.Sprintf("/proc/%d/task/%d/children", taskState.Pid, taskState.Pid))
 		if err != nil {
 			return false, fmt.Errorf("error reading /proc for children: %v", err)
 		}
@@ -508,7 +509,7 @@ func TestExecDriver_Start_Wait_AllocDir(t *testing.T) {
 
 	// Check that data was written to the shared alloc directory.
 	outputFile := filepath.Join(task.TaskDir().SharedAllocDir, file)
-	act, err := os.ReadFile(outputFile)
+	act, err := ioutil.ReadFile(outputFile)
 	require.NoError(t, err)
 	require.Exactly(t, exp, act)
 
@@ -623,7 +624,7 @@ func TestExecDriver_DevicesAndMounts(t *testing.T) {
 
 	tmpDir := t.TempDir()
 
-	err := os.WriteFile(filepath.Join(tmpDir, "testfile"), []byte("from-host"), 600)
+	err := ioutil.WriteFile(filepath.Join(tmpDir, "testfile"), []byte("from-host"), 600)
 	require.NoError(t, err)
 
 	ctx, cancel := context.WithCancel(context.Background())
@@ -660,8 +661,8 @@ func TestExecDriver_DevicesAndMounts(t *testing.T) {
 		},
 	}
 
-	require.NoError(t, os.WriteFile(task.StdoutPath, []byte{}, 660))
-	require.NoError(t, os.WriteFile(task.StderrPath, []byte{}, 660))
+	require.NoError(t, ioutil.WriteFile(task.StdoutPath, []byte{}, 660))
+	require.NoError(t, ioutil.WriteFile(task.StderrPath, []byte{}, 660))
 
 	tc := &TaskConfig{
 		Command: "/bin/bash",
@@ -690,23 +691,23 @@ exit 0
 	result := <-ch
 	require.NoError(t, harness.DestroyTask(task.ID, true))
 
-	stdout, err := os.ReadFile(task.StdoutPath)
+	stdout, err := ioutil.ReadFile(task.StdoutPath)
 	require.NoError(t, err)
 	require.Equal(t, `mounted device /inserted-random: 1:8
 reading from ro path: from-host
 reading from rw path: from-host
 overwriting file in rw succeeded
 writing new file in rw succeeded`, strings.TrimSpace(string(stdout)))
 
-	stderr, err := os.ReadFile(task.StderrPath)
+	stderr, err := ioutil.ReadFile(task.StderrPath)
 	require.NoError(t, err)
 	require.Equal(t, `touch: cannot touch '/tmp/task-path-ro/testfile': Read-only file system
 touch: cannot touch '/tmp/task-path-ro/testfile-from-ro': Read-only file system`, strings.TrimSpace(string(stderr)))
 
 	// testing exit code last so we can inspect output first
 	require.Zero(t, result.ExitCode)
 
-	fromRWContent, err := os.ReadFile(filepath.Join(tmpDir, "testfile-from-rw"))
+	fromRWContent, err := ioutil.ReadFile(filepath.Join(tmpDir, "testfile-from-rw"))
 	require.NoError(t, err)
 	require.Equal(t, "from-exec", strings.TrimSpace(string(fromRWContent)))
 }

diff --git a/drivers/exec/driver_unix_test.go b/drivers/exec/driver_unix_test.go
@@ -88,7 +88,6 @@ func TestExecDriver_StartWaitStop(t *testing.T) {
 }
 
 func TestExec_ExecTaskStreaming(t *testing.T) {
-	ci.SkipTestWithoutRootAccess(t)
 	ci.Parallel(t)
 
 	ctx, cancel := context.WithCancel(context.Background())