exec driver: folder permissions in chroot env lack execute permissions

[bastiaanb]

Nomad version

Nomad v0.4.1
Nomad v0.5.0-rc1 ('a8c8199e413d387021a15d7a1400c8b8372124d6+CHANGES')

Operating system and Environment details

Linux. Tested on Fedora 24 and CoreOS Stable 1123

Issue

If the chroot_env configuration maps an individual file, the containing folder in the chroot environment lacks execute permissions.

Reproduction steps

1. create nomad.conf containing:

data_dir  = "/var/lib/nomad"
log_level = "DEBUG"

client {
  chroot_env {
    "/etc/resolv.conf" = "/etc/resolv.conf"
  }
}

2. Run Nomad agent nomad agent -dev -config=nomad.conf
3. Run an exec type job, e.g. nomad run helloword.nomad
4. Inspect alloc folder nomad fs <alloc-id> helloworld
5. etc folder lacks execute permissions

Mode Size Modified Time Name
drwxrwxrwx 4.0 KiB 11/02/16 14:04:18 CET alloc/
drwxr-xr-x 4.2 KiB 11/02/16 08:46:32 CET dev/
drw-r--r-- 4.0 KiB 11/02/16 14:04:43 CET etc/
....

Nomad Server logs (if appropriate)

don't provide any details

Nomad Client logs (if appropriate)

don't provide any details

Job file (if appropriate)

Any exec job will do. Helloword.nomad (0.4.1 version):

job "helloworld" {
  datacenters = ["dc1"]
  type = "service"

  update {
    stagger = "5s"
    max_parallel = 1
  }

  group "helloworld" {
    count = 1

    task "helloworld" {
      driver = "exec"
      config {
        command = "helloworld"
      }

      artifact {
        source = "https://storage.googleapis.com/global-datacenter-eu/helloworld/helloworld"
        options {
          checksum = "sha256:ee4751f7b17775e0d34514f0a00b9e92b39a8b859fc00d8e2f69e5aa6cceea4e"
        }
      }

      resources {
        cpu = 100
        disk = 200
        memory = 64
        network {
          mbits = 1
          port "http" {}
        }
      }

      service {
        name = "helloworld"
        tags = ["urlprefix-helloworld.gce.nauts.io/"]
        port = "http"
        check {
          type = "http"
          name = "health"
          interval = "15s"
          timeout = "5s"
          path = "/health"
        }
      }
    }
  }
}

[dadgar]

Hey we mount with the same permissions as the host. Further we attempt to make the binary specified executable if it is not.

[bastiaanb]

Ha Alex, the isssue is not with file itself, but the containing folder, /etc in this case.

[dadgar]

Is the permission of the folder different in the chroot than on the host?

[devendram]

I have also seen this issue. I guess its due to this line https://github.com/hashicorp/nomad/blob/master/client/allocdir/alloc_dir.go#L317

os.MkdirAll is using permissions of particular file (/etc/resolve.conf) which are set for containing directories as well. So permissions on /etc/resolv.conf will also be used for containing dir 'etc' which leads to 'etc' having incorect permissions ( lacking execute )

[dadgar]

@devendram Thanks for pointing that out. Will get this fixed soon

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.