-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport of csi: prevent panic on volume delete into release/1.6.x #18243
Backport of csi: prevent panic on volume delete into release/1.6.x #18243
Commits on Jul 11, 2023
-
np: update docs and add test for nil lists (#17899)
Document and test that if a namespace does not provide an `allow` or `deny` list than those are treated as `nil` and have a different behaviour from an empty list (`[]string{}`).
Configuration menu - View commit details
-
Copy full SHA for 99fb36e - Browse repository at this point
Copy the full SHA 99fb36eView commit details -
Configuration menu - View commit details
-
Copy full SHA for 01cb47b - Browse repository at this point
Copy the full SHA 01cb47bView commit details -
Configuration menu - View commit details
-
Copy full SHA for ef89b69 - Browse repository at this point
Copy the full SHA ef89b69View commit details -
Configuration menu - View commit details
-
Copy full SHA for 80b9ff6 - Browse repository at this point
Copy the full SHA 80b9ff6View commit details -
Configuration menu - View commit details
-
Copy full SHA for a4d0dcd - Browse repository at this point
Copy the full SHA a4d0dcdView commit details -
e2e: do not set a user for raw_exec tasks (#17901)
Cannot set a user for raw_exec tasks, because doing so does not work with the 0700 root owned client data directory that we setup in the e2e cluster in accordance with the Nomad hardening guide.
Configuration menu - View commit details
-
Copy full SHA for fd50f2b - Browse repository at this point
Copy the full SHA fd50f2bView commit details -
docs: add plugin docs for pledge task driver (#17823)
* docs: add plugin docs for pledge task driver Add pledge driver to the set of Community drivers. * docs: cr feedback
Configuration menu - View commit details
-
Copy full SHA for 8253ec8 - Browse repository at this point
Copy the full SHA 8253ec8View commit details
Commits on Jul 12, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 3cfa267 - Browse repository at this point
Copy the full SHA 3cfa267View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3656de6 - Browse repository at this point
Copy the full SHA 3656de6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 335bb8b - Browse repository at this point
Copy the full SHA 335bb8bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 09c89e7 - Browse repository at this point
Copy the full SHA 09c89e7View commit details -
Merge pull request #17914 from hashicorp/post-1.6.0-rc.1-release
Post 1.6.0 rc.1 release
Configuration menu - View commit details
-
Copy full SHA for 3c481d3 - Browse repository at this point
Copy the full SHA 3c481d3View commit details -
Smoke test binaries for EL7 compatiblity (#17706)
This adds a quick smoke test of our binaries to verify we haven't exceeeded the maximum GLIBC (2.17) version during linking which would break our ability to execute on EL7 machines.
Configuration menu - View commit details
-
Copy full SHA for 995b936 - Browse repository at this point
Copy the full SHA 995b936View commit details -
Configuration menu - View commit details
-
Copy full SHA for 74335b3 - Browse repository at this point
Copy the full SHA 74335b3View commit details -
e2e: add some e2e tests for pledge task driver (#17909)
* e2e: setup nomad for pledge driver * e2e: add some e2e tests for pledge task driver
Configuration menu - View commit details
-
Copy full SHA for 159bf51 - Browse repository at this point
Copy the full SHA 159bf51View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4379418 - Browse repository at this point
Copy the full SHA 4379418View commit details
Commits on Jul 13, 2023
-
Configuration menu - View commit details
-
Copy full SHA for e53955b - Browse repository at this point
Copy the full SHA e53955bView commit details
Commits on Jul 14, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 7f5d39f - Browse repository at this point
Copy the full SHA 7f5d39fView commit details -
docs: note windows requirement for workload identity (#17950)
Support for UDS sockets was added to Windows 10.
Configuration menu - View commit details
-
Copy full SHA for 1e7726c - Browse repository at this point
Copy the full SHA 1e7726cView commit details
Commits on Jul 18, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 3a68793 - Browse repository at this point
Copy the full SHA 3a68793View commit details
Commits on Jul 19, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 3abb112 - Browse repository at this point
Copy the full SHA 3abb112View commit details -
Configuration menu - View commit details
-
Copy full SHA for 81c14de - Browse repository at this point
Copy the full SHA 81c14deView commit details -
Configuration menu - View commit details
-
Copy full SHA for 81aa274 - Browse repository at this point
Copy the full SHA 81aa274View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0015d25 - Browse repository at this point
Copy the full SHA 0015d25View commit details -
Configuration menu - View commit details
-
Copy full SHA for d23aaed - Browse repository at this point
Copy the full SHA d23aaedView commit details -
acl: fix parsing of policies with blocks w/o label
An ACL policy with a block without label generates unexpected results. For example, a policy such as this: ``` namespace { policy = "read" } ``` Is applied to a namespace called `policy` instead of the documented behaviour of applying it to the `default` namespace. This happens because of the way HCL1 decodes blocks. Since it doesn't know if a block is expected to have a label it applies the `key` tag to the content of the block and, in the example above, the first key is `policy`, so it sets that as the `namespace` block label. Since this happens internally in the HCL decoder it's not possible to detect the problem externally. Fixing the problem inside the decoder is challenging because the JSON and HCL parsers generate different ASTs that makes impossible to differentiate between a JSON tree from an invalid HCL tree within the decoder. The fix in this commit consists of manually parsing the policy after decoding to clear labels that were not set in the file. This allows the validation rules to consistently catch and return any errors, no matter if the policy is an invalid HCL or JSON.
Configuration menu - View commit details
-
Copy full SHA for 54c45ed - Browse repository at this point
Copy the full SHA 54c45edView commit details -
search: fix ACL filtering for plugins and variables
ACL permissions for the search endpoints are done in three passes. The first (the `sufficientSearchPerms` method) is for performance and coarsely rejects requests based on the passed-in context parameter if the user has no permissions to any object in that context. The second (the `filteredSearchContexts` method) filters out contexts based on whether the user has permissions either to the requested namespace or again by context (to catch the "all" context). Finally, when iterating over the objects available, we do the usual filtering in the iterator. Internal testing found several bugs in this filtering: * CSI plugins can be searched by any authenticated user. * Variables can be searched if the user has `job:read` permissions to the variable's namespace instead of `variable:list`. * Variables cannot be searched by wildcard namespace. This is an information leak of the plugin names and variable paths, which we don't consider to be privileged information but intended to protect anyways. This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st and 2nd pass ACL filters, and changes variables to check `variable:list` in the 2nd pass filter unless the wildcard namespace is passed (at which point we'll fallback to filtering in the iterator). Fixes: CVE-2023-3300 Fixes: #17906
Configuration menu - View commit details
-
Copy full SHA for a8789d3 - Browse repository at this point
Copy the full SHA a8789d3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 573cab2 - Browse repository at this point
Copy the full SHA 573cab2View commit details -
Configuration menu - View commit details
-
Copy full SHA for bc8b4bd - Browse repository at this point
Copy the full SHA bc8b4bdView commit details -
Configuration menu - View commit details
-
Copy full SHA for 47fb70b - Browse repository at this point
Copy the full SHA 47fb70bView commit details -
Merge pull request #17986 from hashicorp/post-1.6.0-release
Post 1.6.0 release
Configuration menu - View commit details
-
Copy full SHA for a04245d - Browse repository at this point
Copy the full SHA a04245dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0d343f2 - Browse repository at this point
Copy the full SHA 0d343f2View commit details -
Use config "cpu_total_compute" (if set) for all CPU statistics (#17628)
Before this commit, it was only used for fingerprinting, but not for CPU stats on nodes or tasks. This meant that if the auto-detection failed, setting the cpu_total_compute didn't resolved the issue. This issue was most noticeable on ARM64, as there auto-detection always failed.
Configuration menu - View commit details
-
Copy full SHA for e190eae - Browse repository at this point
Copy the full SHA e190eaeView commit details -
Configuration menu - View commit details
-
Copy full SHA for bd3ef90 - Browse repository at this point
Copy the full SHA bd3ef90View commit details -
volume-status : show namespace the volume belongs to (#17911)
* volume-status : show namespace the volume belongs to
Configuration menu - View commit details
-
Copy full SHA for ca26673 - Browse repository at this point
Copy the full SHA ca26673View commit details -
ui: fix Topology node state filter (#17940)
"Ineligible" and "Draining" are not determined by the node status, but are rather inferred from other fields.
Configuration menu - View commit details
-
Copy full SHA for 969ea54 - Browse repository at this point
Copy the full SHA 969ea54View commit details -
nsd: retain query params in HTTP health checks (#17936)
Apply the same logic as Consul service health checks when building the HTTP URL so that query params in `path` are preserved.
Configuration menu - View commit details
-
Copy full SHA for e664f14 - Browse repository at this point
Copy the full SHA e664f14View commit details -
metrics: report task memory_max value (#17938)
Add new `nomad.client.allocs.memory.max_allocated` metric to report the value of the task `memory_max` resource value.
Configuration menu - View commit details
-
Copy full SHA for ce0f60f - Browse repository at this point
Copy the full SHA ce0f60fView commit details -
e2e podman private registry (#17642)
* e2e: add tests for using private registry with podman driver This PR adds e2e tests that stands up a private docker registry and has a podman tasks run a container from an image in that private registry. Tests - user:password set in task config - auth_soft_fail works for public images when auth is set in driver - credentials helper is set in driver auth config - config auth.json file is set in driver auth config * packer: use nomad-driver-podman v0.5.0 * e2e: eliminate unnecessary chmod Co-authored-by: Daniel Bennett <dbennett@hashicorp.com> * cr: no need to install nomad twice * cl: no need to install docker twice --------- Co-authored-by: Daniel Bennett <dbennett@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 8d28946 - Browse repository at this point
Copy the full SHA 8d28946View commit details
Commits on Jul 20, 2023
-
[ui] When a purged/404-ing job is detected, boot the user out of that…
… job and back to the index (#17915) * Boot the user off the job if it gets deleted * de-yoink * watching the job watcher * Unload record so history.back has to refire a (failing) request * Acceptance tests for boot-out and notification
Configuration menu - View commit details
-
Copy full SHA for 287ad19 - Browse repository at this point
Copy the full SHA 287ad19View commit details -
Configuration menu - View commit details
-
Copy full SHA for 51393dd - Browse repository at this point
Copy the full SHA 51393ddView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6bed12f - Browse repository at this point
Copy the full SHA 6bed12fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 94112d8 - Browse repository at this point
Copy the full SHA 94112d8View commit details -
CSI: improve controller RPC reliability (#17996)
The CSI specification says that we "SHOULD" send no more than one in-flight request per *volume* at a time, with an allowance for losing state (ex. leadership transitions) which the plugins "SHOULD" handle gracefully. We mostly successfully serialize node and controller RPCs for the same volume, except when Nomad clients are lost. (See also container-storage-interface/spec#512) These concurrency requirements in the spec fall short because Storage Provider APIs aren't necessarily safe to call concurrently on the same host even for _different_ volumes. For example, concurrently attaching AWS EBS volumes to an EC2 instance results in a race for device names, which results in failure to attach (because the device name is taken already and the API call fails) and confused results when releasing claims. So in practice many CSI plugins rely on k8s-specific sidecars for serializing storage provider API calls globally. As a result, we have to be much more conservative about concurrency in Nomad than the spec allows. This changeset includes four major changes to fix this: * Add a serializer method to the CSI volume RPC handler. When the RPC handler makes a destructive CSI Controller RPC, we send the RPC thru this serializer and only one RPC is sent at a time. Any other RPCs in flight will block. * Ensure that requests go to the same controller plugin instance whenever possible by sorting by lowest client ID out of the plugin instances. * Ensure that requests go to _healthy_ plugin instances only. * Ensure that requests for controllers can go to a controller on any _live_ node, not just ones eligible for scheduling (which CSI controllers don't care about) Fixes: #15415
Configuration menu - View commit details
-
Copy full SHA for f529124 - Browse repository at this point
Copy the full SHA f529124View commit details -
state: canonicalize namespace on restore (#18017)
The upgrade path to Nomad 1.6.0 requires canonicalizing the namespace in order to set the default scheduler configuration values. Previous implementation only canonicalized on namespace upsert operations, which works for recent namespaces as those Raft transactions are reapplied on upgrade. But for older namespaces restore from a snapshot the code path did not canonicalize them, leaving the scheduler configuration set as `nil`.
Configuration menu - View commit details
-
Copy full SHA for f8b9b5c - Browse repository at this point
Copy the full SHA f8b9b5cView commit details
Commits on Jul 21, 2023
-
ui: handle errors from unimplemented services (#18020)
When a request is made to an RPC service that doesn't exist (for example, a cross-region request from a newer version of Nomad to an older version that doesn't implement the endpoint) the application should return an empty list as well.
Configuration menu - View commit details
-
Copy full SHA for 5d3639f - Browse repository at this point
Copy the full SHA 5d3639fView commit details -
ui: handle node pool requests to older regions (#18021)
When accessing a region running a version of Nomad without node pools an error was thrown because the request is handled by the nodes endpoint which fails because it assumes `pools` is the node ID.
Configuration menu - View commit details
-
Copy full SHA for 2b3dd86 - Browse repository at this point
Copy the full SHA 2b3dd86View commit details -
Configuration menu - View commit details
-
Copy full SHA for 91e1baf - Browse repository at this point
Copy the full SHA 91e1bafView commit details -
Configuration menu - View commit details
-
Copy full SHA for 583f877 - Browse repository at this point
Copy the full SHA 583f877View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0bcc20e - Browse repository at this point
Copy the full SHA 0bcc20eView commit details -
Merge pull request #18028 from hashicorp/post-1.6.1-release
Post 1.6.1 release
Configuration menu - View commit details
-
Copy full SHA for 4768c2a - Browse repository at this point
Copy the full SHA 4768c2aView commit details -
Retain task states for post stop tasks at the time of node GC (#18005)
* Retain task states for post stop tasks at the time of node GC
Configuration menu - View commit details
-
Copy full SHA for b9a388f - Browse repository at this point
Copy the full SHA b9a388fView commit details
Commits on Jul 24, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 2a91bf4 - Browse repository at this point
Copy the full SHA 2a91bf4View commit details -
Configuration menu - View commit details
-
Copy full SHA for ea37488 - Browse repository at this point
Copy the full SHA ea37488View commit details -
Configuration menu - View commit details
-
Copy full SHA for 03cde51 - Browse repository at this point
Copy the full SHA 03cde51View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7173d3b - Browse repository at this point
Copy the full SHA 7173d3bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 738bdb2 - Browse repository at this point
Copy the full SHA 738bdb2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 55723e5 - Browse repository at this point
Copy the full SHA 55723e5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 937d927 - Browse repository at this point
Copy the full SHA 937d927View commit details
Commits on Jul 25, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 7f30444 - Browse repository at this point
Copy the full SHA 7f30444View commit details
Commits on Jul 26, 2023
-
Configuration menu - View commit details
-
Copy full SHA for a8fd803 - Browse repository at this point
Copy the full SHA a8fd803View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5c9cd35 - Browse repository at this point
Copy the full SHA 5c9cd35View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2c463bb - Browse repository at this point
Copy the full SHA 2c463bbView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0a5667c - Browse repository at this point
Copy the full SHA 0a5667cView commit details -
build: support s390x architecture for linux (ent) (#18069)
Makefile changes required for supporting s390x builds and a corresponding changelog entry.
Configuration menu - View commit details
-
Copy full SHA for ee0b104 - Browse repository at this point
Copy the full SHA ee0b104View commit details
Commits on Jul 27, 2023
-
core: add jwks rpc and http api (#18035)
Add JWKS endpoint to HTTP API for exposing the root public signing keys used for signing workload identity JWTs. Part 1 of N components as part of making workload identities consumable by third party services such as Consul and Vault. Identity attenuation (audience) and expiration (+renewal) are necessary to securely use workload identities with 3rd parties, so this merge does not yet document this endpoint. --------- Co-authored-by: Tim Gross <tgross@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for d14362e - Browse repository at this point
Copy the full SHA d14362eView commit details
Commits on Jul 28, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 0a32d7f - Browse repository at this point
Copy the full SHA 0a32d7fView commit details -
cli: add help message for
-consul-namespace
(#18081)Add missing help entry for the `-consul-namespace` flag in `nomad job run`.
Configuration menu - View commit details
-
Copy full SHA for ee31916 - Browse repository at this point
Copy the full SHA ee31916View commit details -
Trusted Supply Chain Component Registry (TSCCR) enforcement starts Monday and an internal report shows our semgrep action is pinned to a version that's not currently permitted. Update all the action versions to whatever's the new hotness to maximum the time-to-live on these until we have automated pinning setup. Also version bumps our chromedriver action, which randomly broke upstream today.
Configuration menu - View commit details
-
Copy full SHA for b17c0f7 - Browse repository at this point
Copy the full SHA b17c0f7View commit details -
feature: Add new field render_templates on restart block (#18054)
This feature is necessary when user want to explicitly re-render all templates on task restart. E.g. to fetch all new secrets from Vault, even if the lease on the existing secrets has not been expired.
Configuration menu - View commit details
-
Copy full SHA for 9e98d69 - Browse repository at this point
Copy the full SHA 9e98d69View commit details
Commits on Jul 31, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 76ebb3f - Browse repository at this point
Copy the full SHA 76ebb3fView commit details -
scheduler: fix panic in
render_templates
destructive update check (#……18100) In #18054 we introduced a new field `render_templates` in the `restart` block. Previously changes to the `restart` block were always non-destructive in the scheduler but we now need to check the new field so that we can update the template runner. The check assumed that the block was always non-nil, which causes panics in our scheduler tests.
Configuration menu - View commit details
-
Copy full SHA for 1ef8ad8 - Browse repository at this point
Copy the full SHA 1ef8ad8View commit details -
[ui] Search results are overloading filter with sorted results (#18053)
* Attempt at a varied end-result when sorting and searching * Consider sort direction as well * computed property dep update * prioritizeSearchOrder and test * Side-effecty but resets sort on search etc * changelog
Configuration menu - View commit details
-
Copy full SHA for 66649d1 - Browse repository at this point
Copy the full SHA 66649d1View commit details -
cli: support wildcard namespace in alloc subcommands (#18095)
The alloc exec and filesystem/logs commands allow passing the `-job` flag to select a random allocation. If the namespace for the command is set to `*`, the RPC handler doesn't handle this correctly as it's expecting to query for a specific job. Most commands handle this ambiguity by first verifying that only a single object of the type in question exists (ex. a single node or job). Update these commands so that when the `-job` flag is set we first verify there's a single job that matches. This also allows us to extend the functionality to allow for the `-job` flag to support prefix matching. Fixes: #12097
Configuration menu - View commit details
-
Copy full SHA for 4fb5bf9 - Browse repository at this point
Copy the full SHA 4fb5bf9View commit details -
[ui] Job Variables page (#17964)
* Bones of a component that has job variable awareness * Got vars listed woo * Variables as its own subnav and some pathLinkedVariable perf fixes * Automatic Access to Variables alerter * Helper and component to conditionally render the right link * A bit of cleanup post-template stuff * testfix for looping right-arrow keynav bc we have a new subnav section * A very roundabout way of ensuring that, if a job exists when saving a variable with a pathLinkedEntity of that job, its saved right through to the job itself * hacky but an async version of pathLinkedVariable * model-driven and async fetcher driven with cleanup * Only run the update-job func if jobname is detected in var path * Test cases begun * Management token for variables to appear in tests * Its a management token so it gets to see the clients tab under system jobs * Pre-review cleanup * More tests * Number of requests test and small fix to groups-by-way-or-resource-arrays elsewhere * Variable intro text tests * Variable name re-use * Simplifying our wording a bit * parse json vs plainId * Addressed PR feedback, including de-waterfalling
Configuration menu - View commit details
-
Copy full SHA for 18dd9e7 - Browse repository at this point
Copy the full SHA 18dd9e7View commit details -
build(deps): bump word-wrap from 1.2.3 to 1.2.4 in /ui (#17972)
Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.4) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1Configuration menu - View commit details
-
Copy full SHA for 511cb55 - Browse repository at this point
Copy the full SHA 511cb55View commit details
Commits on Aug 1, 2023
-
fingerprint: fix 'default' alias not added to interface specified by …
…`network_interface` (#18096)
1Configuration menu - View commit details
-
Copy full SHA for 4841791 - Browse repository at this point
Copy the full SHA 4841791View commit details -
cli: search all namespaces for node volumes (#17925)
When looking for CSI volumes to display in the `node status` command the CLI needs to search all namespaces.
1Configuration menu - View commit details
-
Copy full SHA for 7689788 - Browse repository at this point
Copy the full SHA 7689788View commit details -
[dep] bump golang.org/x/exp (#18102)
There are some refactorings that have to be made in the getter and state where the api changed in `slices` * Bump golang.org/x/exp * Bump golang.org/x/exp in api * Update job_endpoint_test * [feedback] unexport sort function
1Configuration menu - View commit details
-
Copy full SHA for 585b053 - Browse repository at this point
Copy the full SHA 585b053View commit details
Commits on Aug 2, 2023
-
allocwatcher: don't destroy local allocdir after migration (#18108)
When ephemeral disks are migrated from an allocation on the same node, allocation logs for the previous allocation are lost. There are two workflows for the best-effort attempt to migrate the allocation data between the old and new allocations. For previous allocations on other clients (the "remote" workflow), we create a local allocdir and download the data from the previous client into it. That data is then moved into the new allocdir and we delete the allocdir of the previous alloc. For "local" previous allocations we don't need to create an extra directory for the previous allocation and instead move the files directly from one to the other. But we still delete the old allocdir _entirely_, which includes all the logs! There doesn't seem to be any reason to destroy the local previous allocdir, as the usual client garbage collection should destroy it later on when needed. By not deleting it, the previous allocation's logs are still available for the user to read. Fixes: #18034
1Configuration menu - View commit details
-
Copy full SHA for 8ad663d - Browse repository at this point
Copy the full SHA 8ad663dView commit details -
1
Configuration menu - View commit details
-
Copy full SHA for 2fd508d - Browse repository at this point
Copy the full SHA 2fd508dView commit details
Commits on Aug 3, 2023
-
1
Configuration menu - View commit details
-
Copy full SHA for 9707aaf - Browse repository at this point
Copy the full SHA 9707aafView commit details -
scheduler: filter device instance IDs by constraints (#18141)
When the scheduler assigns a device instance, it iterates over the feasible devices and then picks the first instance with availability. If the jobspec uses a constraint on device ID, this can lead to buggy/surprising behavior where the node's device matches the constraint but then the individual device instance does not. Add a second filter based on the `${device.ids}` constraint after selecting a node's device to ensure the device instance ID falls within the constraint as well. Fixes: #18112
1Configuration menu - View commit details
-
Copy full SHA for b1742c7 - Browse repository at this point
Copy the full SHA b1742c7View commit details -
build(deps): bump github.com/hashicorp/consul/api from 1.18.0 to 1.23…
….0 (#18038) Bumps [github.com/hashicorp/consul/api](https://github.com/hashicorp/consul) from 1.18.0 to 1.23.0. - [Release notes](https://github.com/hashicorp/consul/releases) - [Changelog](https://github.com/hashicorp/consul/blob/main/CHANGELOG.md) - [Commits](hashicorp/consul@api/v1.18.0...api/v1.23.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/consul/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1Configuration menu - View commit details
-
Copy full SHA for 0d3f976 - Browse repository at this point
Copy the full SHA 0d3f976View commit details -
build(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.8 (#…
…18037) Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.1.5 to 1.1.8. - [Release notes](https://github.com/opencontainers/runc/releases) - [Changelog](https://github.com/opencontainers/runc/blob/v1.1.8/CHANGELOG.md) - [Commits](opencontainers/runc@v1.1.5...v1.1.8) --- updated-dependencies: - dependency-name: github.com/opencontainers/runc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1Configuration menu - View commit details
-
Copy full SHA for 02b5724 - Browse repository at this point
Copy the full SHA 02b5724View commit details -
build(deps): bump github.com/hashicorp/go-kms-wrapping/v2 (#17957)
Bumps [github.com/hashicorp/go-kms-wrapping/v2](https://github.com/hashicorp/go-kms-wrapping) from 2.0.8 to 2.0.12. - [Commits](hashicorp/go-kms-wrapping@v2.0.8...v2.0.12) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-kms-wrapping/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1Configuration menu - View commit details
-
Copy full SHA for 9551441 - Browse repository at this point
Copy the full SHA 9551441View commit details -
1
Configuration menu - View commit details
-
Copy full SHA for 902f640 - Browse repository at this point
Copy the full SHA 902f640View commit details
Commits on Aug 4, 2023
-
CLI: make snapshot name requiered in creating volume snapshots (#17958)
Co-authored-by: James Rasell <jrasell@users.noreply.github.com>
1Configuration menu - View commit details
-
Copy full SHA for 388198a - Browse repository at this point
Copy the full SHA 388198aView commit details
Commits on Aug 7, 2023
-
test: fix flaky RPC TLS enforcement test (#18155)
The RPC TLS enforcment test creates network connections to a server and these are occassionally failing in testing with `write: broken pipe` errors. This has been an ongoing issue where it'll appear to get fixed, then reoccur, and no one seems to be able to reproduce outside of CI. The test assertion itself is reliable, which is why it's been hard to spend effort to hunt this down. The failing test cases are ones that are never supposed to work b/c they fail our TLS cert role validation. The error message is coming from the TLS handshake error. The RPC connection handler closes the connection immediately on getting the error from the TLS handshake. The stdlib's TLS library flushes the connection's buffer before returning the error. So the theory is that in the failing case we don't get the error message before the connection is closed, but do get the error return that allows the client to move on to a write, which tries to write on the closed pipe. I've been unable to reproduce this exactly, as the race is effectively between the OS and the runtime. The equivalent test of the Raft TLS enforcement includes handling of a EOF intead of the certificate error, so it appears this actually expected (or at least known) behavior. Because the code under test is operating as expected, this changeset updates the assertion to accept the error.
1Configuration menu - View commit details
-
Copy full SHA for 5d2c1d1 - Browse repository at this point
Copy the full SHA 5d2c1d1View commit details -
1
Configuration menu - View commit details
-
Copy full SHA for 472693d - Browse repository at this point
Copy the full SHA 472693dView commit details
Commits on Aug 8, 2023
-
1
Configuration menu - View commit details
-
Copy full SHA for acfb4e6 - Browse repository at this point
Copy the full SHA acfb4e6View commit details
Commits on Aug 9, 2023
-
e2e: modernize vaultcompat testing (#18179)
* e2e: modernize vaultcompat testing * e2e: cr fixes for vaultcompat
1Configuration menu - View commit details
-
Copy full SHA for 37dd4c4 - Browse repository at this point
Copy the full SHA 37dd4c4View commit details -
[chore] Update pre-push hook to handle more remote URL shapes (#17560)
* handle remotes without .git in their path * Update check to use grep
1Configuration menu - View commit details
-
Copy full SHA for 74f4381 - Browse repository at this point
Copy the full SHA 74f4381View commit details
Commits on Aug 10, 2023
-
1
Configuration menu - View commit details
-
Copy full SHA for 5bc49e5 - Browse repository at this point
Copy the full SHA 5bc49e5View commit details -
numa: enable numa topology detection (#18146)
* client: refactor cgroups management in client * client: fingerprint numa topology * client: plumb numa and cgroups changes to drivers * client: cleanup task resource accounting * client: numa client and config plumbing * lib: add a stack implementation * tools: remove ec2info tool * plugins: fixup testing for cgroups / numa changes * build: update makefile and package tests and cl
1Configuration menu - View commit details
-
Copy full SHA for a4cc76b - Browse repository at this point
Copy the full SHA a4cc76bView commit details -
Updating the license from MPL to Business Source License
Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at https://hashi.co/license-faq, and details of the license at www.hashicorp.com/bsl.
1Configuration menu - View commit details
-
Copy full SHA for b3e30b1 - Browse repository at this point
Copy the full SHA b3e30b1View commit details -
Adding explicit MPL license for sub-package
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.
1Configuration menu - View commit details
-
Copy full SHA for 89e24d7 - Browse repository at this point
Copy the full SHA 89e24d7View commit details -
1
Configuration menu - View commit details
-
Copy full SHA for f2acbdb - Browse repository at this point
Copy the full SHA f2acbdbView commit details -
Configuration menu - View commit details
-
Copy full SHA for 2d35e32 - Browse repository at this point
Copy the full SHA 2d35e32View commit details -
Configuration menu - View commit details
-
Copy full SHA for a9d61ea - Browse repository at this point
Copy the full SHA a9d61eaView commit details -
Merge pull request #18187 from hashicorp/compliance/license-changes
[COMPLIANCE] License changes
Configuration menu - View commit details
-
Copy full SHA for 0ef5636 - Browse repository at this point
Copy the full SHA 0ef5636View commit details
Commits on Aug 14, 2023
-
update linux package license to BUSL-1.1 (#18192)
update copywrite.hcl to exclude MPL subdirs
Configuration menu - View commit details
-
Copy full SHA for fd1ae34 - Browse repository at this point
Copy the full SHA fd1ae34View commit details -
* build: update to go1.21 * go: eliminate helpers in favor of min/max * build: run go mod tidy * build: swap depguard for semgrep * command: fixup broken tls error check on go1.21
Configuration menu - View commit details
-
Copy full SHA for d9341f0 - Browse repository at this point
Copy the full SHA d9341f0View commit details -
readme: update readme license badge (#18188)
* readme: update readme license badge * tweak badge color --------- Co-authored-by: Seth Hoenig <shoenig@duck.com>
Configuration menu - View commit details
-
Copy full SHA for f9d7016 - Browse repository at this point
Copy the full SHA f9d7016View commit details -
build(deps): bump github.com/shoenig/test from 0.6.6 to 0.6.7 in /api (…
…#18191) Bumps [github.com/shoenig/test](https://github.com/shoenig/test) from 0.6.6 to 0.6.7. - [Release notes](https://github.com/shoenig/test/releases) - [Commits](shoenig/test@v0.6.6...v0.6.7) --- updated-dependencies: - dependency-name: github.com/shoenig/test dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 3c7a44d - Browse repository at this point
Copy the full SHA 3c7a44dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 65d562b - Browse repository at this point
Copy the full SHA 65d562bView commit details -
docs: ampersand and bash backgrounding problem (#18175)
the `&` symbol messes up the command when copy pasting into a shell
Configuration menu - View commit details
-
Copy full SHA for a170499 - Browse repository at this point
Copy the full SHA a170499View commit details -
test: deflake job endpoint registration test (#18170)
We've seen test flakiness in the `TestJobEndpoint_Register_NonOverlapping` test, which asserts that we don't try to placed allocations for blocked evals until resources have been actually freed by setting the client status of the previous alloc to complete. The flaky assertion includes sorting the two allocations by CreateIndex and this appears to be a non-stable sort in the context of the test run, which results in failures that shouldn't exist. There's no reason to sort the allocations instead of just examining them by ID. This changeset does so.
Configuration menu - View commit details
-
Copy full SHA for 464062d - Browse repository at this point
Copy the full SHA 464062dView commit details -
test: deflake node drain intergration test (#18171)
The `TestDrainer_AllTypes_NoDeadline` test has been flaky. It looks like this might be because the final update of batch allocations to complete is improperly updating the state store directly rather than by RPC. If the service jobs have restarted in the meantime, the `allocClientStateSimulator` will have updated the index on the allocations table and that will prevent the drainer from unblocking (and being marked complete) when the batch jobs are written with an earlier index. This changeset attempts to fix that by making the update via RPC (as it normally would be in real code).
Configuration menu - View commit details
-
Copy full SHA for ac8604e - Browse repository at this point
Copy the full SHA ac8604eView commit details
Commits on Aug 15, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 77e139e - Browse repository at this point
Copy the full SHA 77e139eView commit details -
identity: add support for multiple identities + audiences (#18123)
Allows for multiple `identity{}` blocks for tasks along with user-specified audiences. This is a building block to allow workload identities to be used with Consul, Vault and 3rd party JWT based auth methods. Expiration is still unimplemented and is necessary for JWTs to be used securely, so that's up next. --------- Co-authored-by: Tim Gross <tgross@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 0e22fc1 - Browse repository at this point
Copy the full SHA 0e22fc1View commit details -
drivers/raw_exec: restore ability to run tasks without nomad running …
…as root (#18206) Although nomad officially does not support running the client as a non-root user, doing so has been more or less possible with the raw_exec driver as long as you don't expect features to work like networking or running tasks as specific users. In the cgroups refactoring I bulldozed right over the special casing we had in place for raw_exec to continue working if the cgroups were unable to be created. This PR restores that behavior - you can now (as before) run the nomad client as a non-root user and make use of the raw_exec task driver.
Configuration menu - View commit details
-
Copy full SHA for 6747ef8 - Browse repository at this point
Copy the full SHA 6747ef8View commit details -
fix multiple overflow errors in exponential backoff (#18200)
We use capped exponential backoff in several places in the code when handling failures. The code we've copy-and-pasted all over has a check to see if the backoff is greater than the limit, but this check happens after the bitshift and we always increment the number of attempts. This causes an overflow with a fairly small number of failures (ex. at one place I tested it occurs after only 24 iterations), resulting in a negative backoff which then never recovers. The backoff becomes a tight loop consuming resources and/or DoS'ing a Nomad RPC handler or an external API such as Vault. Note this doesn't occur in places where we cap the number of iterations so the loop breaks (usually to return an error), so long as the number of iterations is reasonable. Introduce a helper with a check on the cap before the bitshift to avoid overflow in all places this can occur. Fixes: #18199 Co-authored-by: stswidwinski <stan.swidwinski@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for f00bff0 - Browse repository at this point
Copy the full SHA f00bff0View commit details -
followup to numa/cgroups refactor (#18214)
* lang: note that Stack is not concurrency-safe * client: use more descriptive name for wrangler hook in logs * numalib: use correct name for receiver parameter
Configuration menu - View commit details
-
Copy full SHA for 8833452 - Browse repository at this point
Copy the full SHA 8833452View commit details -
test-e2e: no need to run vaultcomat tests as root (#18215)
6747ef8 fixes the Nomad client to support using the raw_exec driver while running as a non-root user. Remove the use of sudo in the test-e2e workflow for running integration (vaultcompat) tests.
Configuration menu - View commit details
-
Copy full SHA for 6fca4fa - Browse repository at this point
Copy the full SHA 6fca4faView commit details
Commits on Aug 16, 2023
-
Adding explicit MPL license for sub-package (#18219)
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 4f55df8 - Browse repository at this point
Copy the full SHA 4f55df8View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9af2a9b - Browse repository at this point
Copy the full SHA 9af2a9bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 01d71ca - Browse repository at this point
Copy the full SHA 01d71caView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6d1a2a0 - Browse repository at this point
Copy the full SHA 6d1a2a0View commit details -
Configuration menu - View commit details
-
Copy full SHA for e21ab7d - Browse repository at this point
Copy the full SHA e21ab7dView commit details
Commits on Aug 17, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 7ac37e4 - Browse repository at this point
Copy the full SHA 7ac37e4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0e01d9a - Browse repository at this point
Copy the full SHA 0e01d9aView commit details