hashicorp · greut · Aug 23, 2020 · Aug 24, 2020 · Aug 24, 2020 · Sep 6, 2020
diff --git a/client/allocrunner/taskrunner/task_dir_hook.go b/client/allocrunner/taskrunner/task_dir_hook.go
@@ -92,7 +92,7 @@ func setEnvvars(envBuilder *taskenv.Builder, fsi drivers.FSIsolation, taskDir *a
 
 	// Set the host environment variables for non-image based drivers
 	if fsi != drivers.FSIsolationImage {
-		filter := strings.Split(conf.ReadDefault("env.blacklist", cconfig.DefaultEnvBlacklist), ",")
+		filter := strings.Split(conf.ReadDefault("env.blacklist", cconfig.DefaultEnvDenylist), ",")
 		envBuilder.SetHostEnvvars(filter)
 	}
 }
diff --git a/client/allocrunner/taskrunner/template/template.go b/client/allocrunner/taskrunner/template/template.go
@@ -576,7 +576,7 @@ func parseTemplateConfigs(config *TaskTemplateManagerConfig) (map[*ctconf.Templa
 		ct.Contents = &tmpl.EmbeddedTmpl
 		ct.LeftDelim = &tmpl.LeftDelim
 		ct.RightDelim = &tmpl.RightDelim
-		ct.FunctionBlacklist = config.ClientConfig.TemplateConfig.FunctionBlacklist
+		ct.FunctionDenylist = config.ClientConfig.TemplateConfig.FunctionDenylist
 		if !config.ClientConfig.TemplateConfig.DisableSandbox {
 			ct.SandboxPath = &config.TaskDir
 		}

diff --git a/client/allocrunner/taskrunner/template/template_test.go b/client/allocrunner/taskrunner/template/template_test.go
@@ -134,8 +134,8 @@ func newTestHarness(t *testing.T, templates []*structs.Template, consul, vault b
 		config: &config.Config{
 			Region: region,
 			TemplateConfig: &config.ClientTemplateConfig{
-				FunctionBlacklist: []string{"plugin"},
-				DisableSandbox:    false,
+				FunctionDenylist: []string{"plugin"},
+				DisableSandbox:   false,
 			}},
 		emitRate: DefaultMaxTemplateEventRate,
 	}

diff --git a/client/allocrunner/taskrunner/validate_hook.go b/client/allocrunner/taskrunner/validate_hook.go
@@ -43,7 +43,7 @@ func validateTask(task *structs.Task, taskEnv *taskenv.TaskEnv, conf *config.Con
 	var mErr multierror.Error
 
 	// Validate the user
-	unallowedUsers := conf.ReadStringListToMapDefault("user.blacklist", config.DefaultUserBlacklist)
+	unallowedUsers := conf.ReadStringListToMapDefault("user.denylist", config.DefaultUserDenylist)
 	checkDrivers := conf.ReadStringListToMapDefault("user.checked_drivers", config.DefaultUserCheckedDrivers)
 	if _, driverMatch := checkDrivers[task.Driver]; driverMatch {
 		if _, unallowed := unallowedUsers[task.User]; unallowed {

diff --git a/client/client.go b/client/client.go
@@ -409,9 +409,10 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
 		return nil, fmt.Errorf("fingerprinting failed: %v", err)
 	}
 
-	// Build the white/blacklists of drivers.
-	allowlistDrivers := cfg.ReadStringListToMap("driver.whitelist")
-	blocklistDrivers := cfg.ReadStringListToMap("driver.blacklist")
+	// Build the allow/denylists of drivers.
+	// white/blacklist are there for backward compatible reasons only.
+	allowlistDrivers := cfg.ReadStringListToMap("driver.allowlist", "driver.whitelist")
+	blocklistDrivers := cfg.ReadStringListToMap("driver.denylist", "driver.blocklist", "driver.blacklist")
 
 	// Setup the csi manager
 	csiConfig := &csimanager.Config{

diff --git a/client/config/config.go b/client/config/config.go
@@ -19,26 +19,26 @@ import (
 )
 
 var (
-	// DefaultEnvBlacklist is the default set of environment variables that are
+	// DefaultEnvDenylist is the default set of environment variables that are
 	// filtered when passing the environment variables of the host to a task.
 	// duplicated in command/agent/host, update that if this changes.
-	DefaultEnvBlacklist = strings.Join([]string{
+	DefaultEnvDenylist = strings.Join([]string{
 		"CONSUL_TOKEN",
 		"CONSUL_HTTP_TOKEN",
 		"VAULT_TOKEN",
 		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
 		"GOOGLE_APPLICATION_CREDENTIALS",
 	}, ",")
 
-	// DefaultUserBlacklist is the default set of users that tasks are not
+	// DefaultUserDenylist is the default set of users that tasks are not
 	// allowed to run as when using a driver in "user.checked_drivers"
-	DefaultUserBlacklist = strings.Join([]string{
+	DefaultUserDenylist = strings.Join([]string{
 		"root",
 		"Administrator",
 	}, ",")
 
 	// DefaultUserCheckedDrivers is the set of drivers we apply the user
-	// blacklist onto. For virtualized drivers it often doesn't make sense to
+	// denylist onto. For virtualized drivers it often doesn't make sense to
 	// make this stipulation so by default they are ignored.
 	DefaultUserCheckedDrivers = strings.Join([]string{
 		"exec",
@@ -271,8 +271,8 @@ type Config struct {
 }
 
 type ClientTemplateConfig struct {
-	FunctionBlacklist []string
-	DisableSandbox    bool
+	FunctionDenylist []string
+	DisableSandbox   bool
 }
 
 func (c *ClientTemplateConfig) Copy() *ClientTemplateConfig {
@@ -282,7 +282,7 @@ func (c *ClientTemplateConfig) Copy() *ClientTemplateConfig {
 
 	nc := new(ClientTemplateConfig)
 	*nc = *c
-	nc.FunctionBlacklist = helper.CopySliceString(nc.FunctionBlacklist)
+	nc.FunctionDenylist = helper.CopySliceString(nc.FunctionDenylist)
 	return nc
 }
 
@@ -319,8 +319,8 @@ func DefaultConfig() *Config {
 		DisableTaggedMetrics:    false,
 		DisableRemoteExec:       false,
 		TemplateConfig: &ClientTemplateConfig{
-			FunctionBlacklist: []string{"plugin"},
-			DisableSandbox:    false,
+			FunctionDenylist: []string{"plugin"},
+			DisableSandbox:   false,
 		},
 		BackwardsCompatibleMetrics: false,
 		RPCHoldTimeout:             5 * time.Second,
@@ -415,15 +415,17 @@ func (c *Config) ReadDurationDefault(id string, defaultValue time.Duration) time
 	return val
 }
 
-// ReadStringListToMap tries to parse the specified option as a comma separated list.
+// ReadStringListToMap tries to parse the specified option(s) as a comma separated list.
 // If there is an error in parsing, an empty list is returned.
-func (c *Config) ReadStringListToMap(key string) map[string]struct{} {
-	s := strings.TrimSpace(c.Read(key))
+func (c *Config) ReadStringListToMap(keys ...string) map[string]struct{} {
 	list := make(map[string]struct{})
-	if s != "" {
-		for _, e := range strings.Split(s, ",") {
-			trimmed := strings.TrimSpace(e)
-			list[trimmed] = struct{}{}
+	for _, key := range keys {
+		s := strings.TrimSpace(c.Read(key))
+		if s != "" {
+			for _, e := range strings.Split(s, ",") {
+				trimmed := strings.TrimSpace(e)
+				list[trimmed] = struct{}{}
+			}
 		}
 	}
 	return list

diff --git a/client/fingerprint_manager.go b/client/fingerprint_manager.go
@@ -65,28 +65,28 @@ func (fm *FingerprintManager) getNode() *structs.Node {
 }
 
 // Run starts the process of fingerprinting the node. It does an initial pass,
-// identifying whitelisted and blacklisted fingerprints/drivers. Then, for
+// identifying allowlisted and denylisted fingerprints/drivers. Then, for
 // those which require periotic checking, it starts a periodic process for
 // each.
 func (fp *FingerprintManager) Run() error {
 	// First, set up all fingerprints
 	cfg := fp.getConfig()
-	whitelistFingerprints := cfg.ReadStringListToMap("fingerprint.whitelist")
-	whitelistFingerprintsEnabled := len(whitelistFingerprints) > 0
-	blacklistFingerprints := cfg.ReadStringListToMap("fingerprint.blacklist")
+	allowlistFingerprints := cfg.ReadStringListToMap("fingerprint.allowlist", "fingerprint.whitelist")
+	allowlistFingerprintsEnabled := len(allowlistFingerprints) > 0
+	denylistFingerprints := cfg.ReadStringListToMap("fingerprint.denylist", "fingerprint.blacklist")
 
 	fp.logger.Debug("built-in fingerprints", "fingerprinters", fingerprint.BuiltinFingerprints())
 
 	var availableFingerprints []string
 	var skippedFingerprints []string
 	for _, name := range fingerprint.BuiltinFingerprints() {
-		// Skip modules that are not in the whitelist if it is enabled.
-		if _, ok := whitelistFingerprints[name]; whitelistFingerprintsEnabled && !ok {
+		// Skip modules that are not in the allowlist if it is enabled.
+		if _, ok := allowlistFingerprints[name]; allowlistFingerprintsEnabled && !ok {
 			skippedFingerprints = append(skippedFingerprints, name)
 			continue
 		}
-		// Skip modules that are in the blacklist
-		if _, ok := blacklistFingerprints[name]; ok {
+		// Skip modules that are in the denylist
+		if _, ok := denylistFingerprints[name]; ok {
 			skippedFingerprints = append(skippedFingerprints, name)
 			continue
 		}
@@ -99,7 +99,7 @@ func (fp *FingerprintManager) Run() error {
 	}
 
 	if len(skippedFingerprints) != 0 {
-		fp.logger.Debug("fingerprint modules skipped due to white/blacklist",
+		fp.logger.Debug("fingerprint modules skipped due to allow/denylist",
 			"skipped_fingerprinters", skippedFingerprints)
 	}
 

diff --git a/client/fingerprint_manager_test.go b/client/fingerprint_manager_test.go
@@ -66,8 +66,8 @@ func TestFingerprintManager_Run_InBlacklist(t *testing.T) {
 	require := require.New(t)
 	testClient, cleanup := TestClient(t, func(c *config.Config) {
 		c.Options = map[string]string{
-			"fingerprint.whitelist": "  arch,memory,foo,bar	",
-			"fingerprint.blacklist": "  cpu	",
+			"fingerprint.allowlist": "  arch,memory,foo,bar	",
+			"fingerprint.denylist": "  cpu	",
 		}
 	})
 	defer cleanup()
@@ -96,8 +96,8 @@ func TestFingerprintManager_Run_Combination(t *testing.T) {
 
 	testClient, cleanup := TestClient(t, func(c *config.Config) {
 		c.Options = map[string]string{
-			"fingerprint.whitelist": "  arch,cpu,memory,foo,bar	",
-			"fingerprint.blacklist": "  memory,host	",
+			"fingerprint.allowlist": "  arch,cpu,memory,foo,bar	",
+			"fingerprint.denylist": "  memory,host	",
 		}
 	})
 	defer cleanup()

diff --git a/command/acl_policy.go b/command/acl_policy.go
@@ -16,7 +16,7 @@ Usage: nomad acl policy <subcommand> [options] [args]
 
   This command groups subcommands for interacting with ACL policies. Nomad's ACL
   system can be used to control access to data and APIs. ACL policies allow a
-  set of capabilities or actions to be granted or whitelisted. For a full guide
+  set of capabilities or actions to be granted or allowlisted. For a full guide
   see: https://www.nomadproject.io/guides/acl.html
 
   Create an ACL policy:

diff --git a/command/agent/agent.go b/command/agent/agent.go
@@ -553,7 +553,10 @@ func convertClientConfig(agentConfig *Config) (*clientconfig.Config, error) {
 	conf.ClientMaxPort = uint(agentConfig.Client.ClientMaxPort)
 	conf.ClientMinPort = uint(agentConfig.Client.ClientMinPort)
 	conf.DisableRemoteExec = agentConfig.Client.DisableRemoteExec
-	conf.TemplateConfig.FunctionBlacklist = agentConfig.Client.TemplateConfig.FunctionBlacklist
+	conf.TemplateConfig.FunctionDenylist = agentConfig.Client.TemplateConfig.FunctionDenylist
+	if agentConfig.Client.TemplateConfig.FunctionDenylistDeprecated != nil {
+		conf.TemplateConfig.FunctionDenylist = append(conf.TemplateConfig.FunctionDenylist, agentConfig.Client.TemplateConfig.FunctionDenylistDeprecated...)
+	}
 	conf.TemplateConfig.DisableSandbox = agentConfig.Client.TemplateConfig.DisableSandbox
 
 	hvMap := make(map[string]*structs.ClientHostVolumeConfig, len(agentConfig.Client.HostVolumes))

diff --git a/command/agent/config.go b/command/agent/config.go
@@ -307,9 +307,14 @@ type ClientConfig struct {
 // rendering
 type ClientTemplateConfig struct {
 
-	// FunctionBlacklist disables functions in consul-template that
+	// FunctionDenylist disables functions in consul-template that
 	// are unsafe because they expose information from the client host.
-	FunctionBlacklist []string `hcl:"function_blacklist"`
+	FunctionDenylist []string `hcl:"function_denylist"`
+
+	// FunctionDenylistDeprecated is the backward compatible option for
+	// FunctionDenylist.
+	// This should not be used directly, use FunctionDenylist instead.
+	FunctionDenylistDeprecated []string `hcl:"function_blacklist"`
 
 	// DisableSandbox allows templates to access arbitrary files on the
 	// client host. By default templates can access files only within
@@ -827,8 +832,8 @@ func DevConfig(mode *devModeConfig) *Config {
 	conf.Client.GCInodeUsageThreshold = 99
 	conf.Client.GCMaxAllocs = 50
 	conf.Client.TemplateConfig = &ClientTemplateConfig{
-		FunctionBlacklist: []string{"plugin"},
-		DisableSandbox:    false,
+		FunctionDenylist: []string{"plugin"},
+		DisableSandbox:   false,
 	}
 	conf.Client.BindWildcardDefaultHostNetwork = true
 	conf.Telemetry.PrometheusMetrics = true
@@ -873,8 +878,8 @@ func DefaultConfig() *Config {
 				RetryMaxAttempts: 0,
 			},
 			TemplateConfig: &ClientTemplateConfig{
-				FunctionBlacklist: []string{"plugin"},
-				DisableSandbox:    false,
+				FunctionDenylist: []string{"plugin"},
+				DisableSandbox:   false,
 			},
 			BindWildcardDefaultHostNetwork: true,
 		},

diff --git a/command/agent/config_test.go b/command/agent/config_test.go
@@ -115,8 +115,8 @@ func TestConfig_Merge(t *testing.T) {
 			ClientMaxPort:     19996,
 			DisableRemoteExec: false,
 			TemplateConfig: &ClientTemplateConfig{
-				FunctionBlacklist: []string{"plugin"},
-				DisableSandbox:    false,
+				FunctionDenylist: []string{"plugin"},
+				DisableSandbox:   false,
 			},
 			Reserved: &Resources{
 				CPU:           10,
@@ -297,8 +297,8 @@ func TestConfig_Merge(t *testing.T) {
 			MaxKillTimeout:    "50s",
 			DisableRemoteExec: false,
 			TemplateConfig: &ClientTemplateConfig{
-				FunctionBlacklist: []string{"plugin"},
-				DisableSandbox:    false,
+				FunctionDenylist: []string{"plugin"},
+				DisableSandbox:   false,
 			},
 			Reserved: &Resources{
 				CPU:           15,

diff --git a/command/agent/testdata/obj-len-one.hcl b/command/agent/testdata/obj-len-one.hcl
@@ -1,5 +1,5 @@
 client {
   options {
-    driver.whitelist = "docker"
+    driver.allowlist = "docker"
   }
 }
diff --git a/command/agent/testdata/obj-len-one.json b/command/agent/testdata/obj-len-one.json
@@ -1,7 +1,7 @@
 {
 	"client": {
 		"options": {
-			"driver.whitelist": "docker"
+			"driver.allowlist": "docker"
 		}
 	},
 	"server": {}

diff --git a/drivers/docker/config.go b/drivers/docker/config.go
@@ -95,10 +95,21 @@ func PluginLoader(opts map[string]string) (map[string]interface{}, error) {
 	conf["volumes"] = volConf
 
 	// capabilities
-	if v, ok := opts["docker.caps.whitelist"]; ok {
+	if v, ok := opts["docker.caps.allowlist"]; ok {
 		conf["allow_caps"] = strings.Split(v, ",")
 	}
 
+	// backward compatible configuration
+	if v, ok := opts["docker.caps.whitelist"]; ok {
+		vs := strings.Split(v, ",")
+		switch conf["allow_caps"].(type) {
+		case []string:
+			conf["allow_caps"] = append(conf["allow_caps"].([]string), vs...)
+		default:
+			conf["allow_caps"] = vs
+		}
+	}
+
 	// privileged containers
 	if v, err := strconv.ParseBool(opts["docker.privileged.enabled"]); err == nil {
 		conf["allow_privileged"] = v

diff --git a/drivers/docker/driver.go b/drivers/docker/driver.go
@@ -909,7 +909,7 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 			}
 		}
 		if len(missingCaps) > 0 {
-			return c, fmt.Errorf("Docker driver doesn't have the following caps whitelisted on this Nomad agent: %s", missingCaps)
+			return c, fmt.Errorf("Docker driver doesn't have the following caps allowlisted on this Nomad agent: %s", missingCaps)
 		}
 	}
 

diff --git a/drivers/docker/driver_darwin_test.go b/drivers/docker/driver_darwin_test.go
@@ -11,7 +11,7 @@ import (
 // be mounted into Docker containers on macOS without needing dev performing
 // special setup.
 //
-// macOS sets tempdir as `/var`, which Docker does not whitelist as a path that
+// macOS sets tempdir as `/var`, which Docker does not allowlist as a path that
 // can be bind-mounted.
 func TestMain(m *testing.M) {
 	tmpdir := fmt.Sprintf("/tmp/nomad-docker-tests-%d", time.Now().Unix())