Disable host filesystem access by default

[schmichael]

Since host volumes were introduced in Nomad v0.10, operators have a way to explicitly enable which host filesystem paths are accessible by allocations.

Any default behaviors or configurations which allow unrestricted host filesystem access should be disabled by default. The Nomad client agent's configuration must explicitly grant host filesystem access to allocations via host volumes or other explicit configuration parameters.

Task Driver Changes

• docker.volumes.enabled should default to false
• rkt.volumes.enabled should default to false -- also move rkt out of tree Deprecate rkt #6478
• exec/java should already restrict paths to inside the chroot, but this restriction should be verified
• qemu should restrict image paths to the allocation directory.
  • If Nomad v0.10 allowed qemu images to be loaded from any path, a client configuration parameter that whitelists host paths should be added (eg qemu.image_paths = ["/mnt/images"])
• File issues with all community plugins that allow full filesystem access to disable it by default.
  • Lower priority since plugins are (a) outside our control and (b) must be enabled manually already
• raw_exec is already disabled by default and therefore requires no changes

Other Changes

• Audit jobspec parameters to ensure host filesystem access is prevented by default (eg override consul-template blacklist configuration #6075)
• Add note to Upgrade docs on the change and how to enable the old behavior.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.