client: deprecate loading plugins without config #19189
Conversation
Nomad load all plugins from `plugin_dir` regardless if it is listed in the agent configuration file. This can cause unexpected binaries to be executed. This commit begins the deprecation process of this behaviour. The Nomad agent will emit a warning log for every plugin binary found without a corresponding agent configuration block.
There was a problem hiding this comment.
The existing autoloading behavior is nice in that you can manage plugins without restarting the Nomad agent. This simplifies operations, packaging, and scripting.
Furthermore it seems unlikely an attacker able to write to the plugin_dir couldn't stage other attacks on the system as well.
That being said "seems unlikely" is a poor security posture, and the closest HashiCorp prior art I could find is Vault's plugin system which has an explicit register-before-use step: https://developer.hashicorp.com/vault/docs/plugins/plugin-management
So let's ship this. We could add an autoload_plugins = true|false agent configuration knob to control this behavior, but I think we should wait for that feature request. Nomad already has no many knobs that subtlety change security properties I would hate to add more without good reason.
Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
Nomad load all plugins from `plugin_dir` regardless if it is listed in the agent configuration file. This can cause unexpected binaries to be executed. This commit begins the deprecation process of this behaviour. The Nomad agent will emit a warning log for every plugin binary found without a corresponding agent configuration block. --------- Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
Nomad load all plugins from `plugin_dir` regardless if it is listed in the agent configuration file. This can cause unexpected binaries to be executed. This commit begins the deprecation process of this behaviour. The Nomad agent will emit a warning log for every plugin binary found without a corresponding agent configuration block. --------- Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
Nomad load all plugins from
plugin_dirregardless if it is listed in the agent configuration file. This can cause unexpected binaries to be executed.This commit begins the deprecation process of this behaviour. The Nomad agent will emit a warning log for every plugin binary found without a corresponding agent configuration block.
Ref: #18529