use allow/deny instead of the colored alternatives

client/allocrunner/taskrunner/task_dir_hook.go

@@ -92,7 +92,7 @@ func setEnvvars(envBuilder *taskenv.Builder, fsi drivers.FSIsolation, taskDir *a
 
 	// Set the host environment variables for non-image based drivers
 	if fsi != drivers.FSIsolationImage {
-		filter := strings.Split(conf.ReadDefault("env.blacklist", cconfig.DefaultEnvBlacklist), ",")
+		filter := strings.Split(conf.ReadDefault("env.blacklist", cconfig.DefaultEnvDenylist), ",")
 		envBuilder.SetHostEnvvars(filter)
 	}
 }

client/allocrunner/taskrunner/validate_hook.go

@@ -43,7 +43,7 @@ func validateTask(task *structs.Task, taskEnv *taskenv.TaskEnv, conf *config.Con
 	var mErr multierror.Error
 
 	// Validate the user
-	unallowedUsers := conf.ReadStringListToMapDefault("user.blacklist", config.DefaultUserBlacklist)
+	unallowedUsers := conf.ReadStringListToMapDefault("user.denylist", config.DefaultUserDenylist)
 	checkDrivers := conf.ReadStringListToMapDefault("user.checked_drivers", config.DefaultUserCheckedDrivers)
 	if _, driverMatch := checkDrivers[task.Driver]; driverMatch {
 		if _, unallowed := unallowedUsers[task.User]; unallowed {

client/client.go

@@ -409,9 +409,10 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
 		return nil, fmt.Errorf("fingerprinting failed: %v", err)
 	}
 
-	// Build the white/blacklists of drivers.
-	allowlistDrivers := cfg.ReadStringListToMap("driver.whitelist")
-	blocklistDrivers := cfg.ReadStringListToMap("driver.blacklist")
+	// Build the allow/denylists of drivers.
+	// white/blacklist are there for backward compatible reasons only.
+	allowlistDrivers := cfg.ReadStringListToMap("driver.allowlist", "driver.whitelist")
+	blocklistDrivers := cfg.ReadStringListToMap("driver.denylist", "driver.blocklist", "driver.blacklist")
 
 	// Setup the csi manager
 	csiConfig := &csimanager.Config{

client/config/config.go

@@ -19,26 +19,26 @@ import (
 )
 
 var (
-	// DefaultEnvBlacklist is the default set of environment variables that are
+	// DefaultEnvDenylist is the default set of environment variables that are
 	// filtered when passing the environment variables of the host to a task.
 	// duplicated in command/agent/host, update that if this changes.
-	DefaultEnvBlacklist = strings.Join([]string{
+	DefaultEnvDenylist = strings.Join([]string{
 		"CONSUL_TOKEN",
 		"CONSUL_HTTP_TOKEN",
 		"VAULT_TOKEN",
 		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
 		"GOOGLE_APPLICATION_CREDENTIALS",
 	}, ",")
 
-	// DefaultUserBlacklist is the default set of users that tasks are not
+	// DefaultUserDenylist is the default set of users that tasks are not
 	// allowed to run as when using a driver in "user.checked_drivers"
-	DefaultUserBlacklist = strings.Join([]string{
+	DefaultUserDenylist = strings.Join([]string{
 		"root",
 		"Administrator",
 	}, ",")
 
 	// DefaultUserCheckedDrivers is the set of drivers we apply the user
-	// blacklist onto. For virtualized drivers it often doesn't make sense to
+	// denylist onto. For virtualized drivers it often doesn't make sense to
 	// make this stipulation so by default they are ignored.
 	DefaultUserCheckedDrivers = strings.Join([]string{
 		"exec",
@@ -420,15 +420,17 @@ func (c *Config) ReadDurationDefault(id string, defaultValue time.Duration) time
 	return val
 }
 
-// ReadStringListToMap tries to parse the specified option as a comma separated list.
+// ReadStringListToMap tries to parse the specified option(s) as a comma separated list.
 // If there is an error in parsing, an empty list is returned.
-func (c *Config) ReadStringListToMap(key string) map[string]struct{} {
-	s := strings.TrimSpace(c.Read(key))
+func (c *Config) ReadStringListToMap(keys ...string) map[string]struct{} {
 	list := make(map[string]struct{})
-	if s != "" {
-		for _, e := range strings.Split(s, ",") {
-			trimmed := strings.TrimSpace(e)
-			list[trimmed] = struct{}{}
+	for _, key := range keys {
+		s := strings.TrimSpace(c.Read(key))
+		if s != "" {
+			for _, e := range strings.Split(s, ",") {
+				trimmed := strings.TrimSpace(e)
+				list[trimmed] = struct{}{}
+			}
 		}
 	}
 	return list

client/fingerprint_manager.go

@@ -65,28 +65,28 @@ func (fm *FingerprintManager) getNode() *structs.Node {
 }
 
 // Run starts the process of fingerprinting the node. It does an initial pass,
-// identifying whitelisted and blacklisted fingerprints/drivers. Then, for
+// identifying allowlisted and denylisted fingerprints/drivers. Then, for
 // those which require periotic checking, it starts a periodic process for
 // each.
 func (fp *FingerprintManager) Run() error {
 	// First, set up all fingerprints
 	cfg := fp.getConfig()
-	whitelistFingerprints := cfg.ReadStringListToMap("fingerprint.whitelist")
-	whitelistFingerprintsEnabled := len(whitelistFingerprints) > 0
-	blacklistFingerprints := cfg.ReadStringListToMap("fingerprint.blacklist")
+	allowlistFingerprints := cfg.ReadStringListToMap("fingerprint.allowlist", "fingerprint.whitelist")
+	allowlistFingerprintsEnabled := len(allowlistFingerprints) > 0
+	denylistFingerprints := cfg.ReadStringListToMap("fingerprint.denylist", "fingerprint.blacklist")
 
 	fp.logger.Debug("built-in fingerprints", "fingerprinters", fingerprint.BuiltinFingerprints())
 
 	var availableFingerprints []string
 	var skippedFingerprints []string
 	for _, name := range fingerprint.BuiltinFingerprints() {
-		// Skip modules that are not in the whitelist if it is enabled.
-		if _, ok := whitelistFingerprints[name]; whitelistFingerprintsEnabled && !ok {
+		// Skip modules that are not in the allowlist if it is enabled.
+		if _, ok := allowlistFingerprints[name]; allowlistFingerprintsEnabled && !ok {
 			skippedFingerprints = append(skippedFingerprints, name)
 			continue
 		}
-		// Skip modules that are in the blacklist
-		if _, ok := blacklistFingerprints[name]; ok {
+		// Skip modules that are in the denylist
+		if _, ok := denylistFingerprints[name]; ok {
 			skippedFingerprints = append(skippedFingerprints, name)
 			continue
 		}
@@ -99,7 +99,7 @@ func (fp *FingerprintManager) Run() error {
 	}
 
 	if len(skippedFingerprints) != 0 {
-		fp.logger.Debug("fingerprint modules skipped due to white/blacklist",
+		fp.logger.Debug("fingerprint modules skipped due to allow/denylist",
 			"skipped_fingerprinters", skippedFingerprints)
 	}
 

client/fingerprint_manager_test.go

@@ -66,8 +66,8 @@ func TestFingerprintManager_Run_InBlacklist(t *testing.T) {
 	require := require.New(t)
 	testClient, cleanup := TestClient(t, func(c *config.Config) {
 		c.Options = map[string]string{
-			"fingerprint.whitelist": "  arch,memory,foo,bar	",
-			"fingerprint.blacklist": "  cpu	",
+			"fingerprint.allowlist": "  arch,memory,foo,bar	",
+			"fingerprint.denylist": "  cpu	",
 		}
 	})
 	defer cleanup()
@@ -96,8 +96,8 @@ func TestFingerprintManager_Run_Combination(t *testing.T) {
 
 	testClient, cleanup := TestClient(t, func(c *config.Config) {
 		c.Options = map[string]string{
-			"fingerprint.whitelist": "  arch,cpu,memory,foo,bar	",
-			"fingerprint.blacklist": "  memory,host	",
+			"fingerprint.allowlist": "  arch,cpu,memory,foo,bar	",
+			"fingerprint.denylist": "  memory,host	",
 		}
 	})
 	defer cleanup()

command/acl_policy.go

@@ -16,7 +16,7 @@ Usage: nomad acl policy <subcommand> [options] [args]
 
   This command groups subcommands for interacting with ACL policies. Nomad's ACL
   system can be used to control access to data and APIs. ACL policies allow a
-  set of capabilities or actions to be granted or whitelisted. For a full guide
+  set of capabilities or actions to be granted or allowlisted. For a full guide
   see: https://www.nomadproject.io/guides/acl.html
 
   Create an ACL policy:

command/agent/testdata/obj-len-one.hcl

@@ -1,5 +1,5 @@
 client {
   options {
-    driver.whitelist = "docker"
+    driver.allowlist = "docker"
   }
 }

command/agent/testdata/obj-len-one.json

@@ -1,7 +1,7 @@
 {
 	"client": {
 		"options": {
-			"driver.whitelist": "docker"
+			"driver.allowlist": "docker"
 		}
 	},
 	"server": {}

drivers/docker/config.go

@@ -96,10 +96,21 @@ func PluginLoader(opts map[string]string) (map[string]interface{}, error) {
 	conf["volumes"] = volConf
 
 	// capabilities
-	if v, ok := opts["docker.caps.whitelist"]; ok {
+	if v, ok := opts["docker.caps.allowlist"]; ok {
 		conf["allow_caps"] = strings.Split(v, ",")
 	}
 
+	// backward compatible configuration
+	if v, ok := opts["docker.caps.whitelist"]; ok {
+		vs := strings.Split(v, ",")
+		switch conf["allow_caps"].(type) {
+		case []string:
+			conf["allow_caps"] = append(conf["allow_caps"].([]string), vs...)
+		default:
+			conf["allow_caps"] = vs
+		}
+	}
+
 	// privileged containers
 	if v, err := strconv.ParseBool(opts["docker.privileged.enabled"]); err == nil {
 		conf["allow_privileged"] = v

drivers/docker/driver.go

@@ -909,7 +909,7 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 			}
 		}
 		if len(missingCaps) > 0 {
-			return c, fmt.Errorf("Docker driver doesn't have the following caps whitelisted on this Nomad agent: %s", missingCaps)
+			return c, fmt.Errorf("Docker driver doesn't have the following caps allowlisted on this Nomad agent: %s", missingCaps)
 		}
 	}
 

drivers/docker/driver_darwin_test.go

@@ -11,7 +11,7 @@ import (
 // be mounted into Docker containers on macOS without needing dev performing
 // special setup.
 //
-// macOS sets tempdir as `/var`, which Docker does not whitelist as a path that
+// macOS sets tempdir as `/var`, which Docker does not allowlist as a path that
 // can be bind-mounted.
 func TestMain(m *testing.M) {
 	tmpdir := fmt.Sprintf("/tmp/nomad-docker-tests-%d", time.Now().Unix())

drivers/docker/driver_test.go

@@ -1235,50 +1235,50 @@ func TestDockerDriver_Capabilities(t *testing.T) {
 		Name       string
 		CapAdd     []string
 		CapDrop    []string
-		Whitelist  string
+		Allowlist  string
 		StartError string
 	}{
 		{
-			Name:    "default-whitelist-add-allowed",
+			Name:    "default-allowlist-add-allowed",
 			CapAdd:  []string{"fowner", "mknod"},
 			CapDrop: []string{"all"},
 		},
 		{
-			Name:       "default-whitelist-add-forbidden",
+			Name:       "default-allowlist-add-forbidden",
 			CapAdd:     []string{"net_admin"},
 			StartError: "net_admin",
 		},
 		{
-			Name:    "default-whitelist-drop-existing",
+			Name:    "default-allowlist-drop-existing",
 			CapDrop: []string{"fowner", "mknod"},
 		},
 		{
-			Name:      "restrictive-whitelist-drop-all",
+			Name:      "restrictive-allowlist-drop-all",
 			CapDrop:   []string{"all"},
-			Whitelist: "fowner,mknod",
+			Allowlist: "fowner,mknod",
 		},
 		{
-			Name:      "restrictive-whitelist-add-allowed",
+			Name:      "restrictive-allowlist-add-allowed",
 			CapAdd:    []string{"fowner", "mknod"},
 			CapDrop:   []string{"all"},
-			Whitelist: "fowner,mknod",
+			Allowlist: "fowner,mknod",
 		},
 		{
-			Name:       "restrictive-whitelist-add-forbidden",
+			Name:       "restrictive-allowlist-add-forbidden",
 			CapAdd:     []string{"net_admin", "mknod"},
 			CapDrop:    []string{"all"},
-			Whitelist:  "fowner,mknod",
+			Allowlist:  "fowner,mknod",
 			StartError: "net_admin",
 		},
 		{
-			Name:      "permissive-whitelist",
+			Name:      "permissive-allowlist",
 			CapAdd:    []string{"net_admin", "mknod"},
-			Whitelist: "all",
+			Allowlist: "all",
 		},
 		{
-			Name:      "permissive-whitelist-add-all",
+			Name:      "permissive-allowlist-add-all",
 			CapAdd:    []string{"all"},
-			Whitelist: "all",
+			Allowlist: "all",
 		},
 	}
 
@@ -1299,8 +1299,8 @@ func TestDockerDriver_Capabilities(t *testing.T) {
 			d := dockerDriverHarness(t, nil)
 			dockerDriver, ok := d.Impl().(*Driver)
 			require.True(t, ok)
-			if tc.Whitelist != "" {
-				dockerDriver.config.AllowCaps = strings.Split(tc.Whitelist, ",")
+			if tc.Allowlist != "" {
+				dockerDriver.config.AllowCaps = strings.Split(tc.Allowlist, ",")
 			}
 
 			cleanup := d.MkAllocDir(task, true)

e2e/terraform/config/dev-cluster/nomad/client-linux/client.hcl

@@ -5,7 +5,7 @@ client {
 
   options {
     # Allow jobs to run as root
-    "user.blacklist" = ""
+    "user.denylist" = ""
 
     # Allow rawexec jobs
     "driver.raw_exec.enable" = "1"