Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of client: fix interpolation in template source #9383 #9391

Merged
merged 3 commits into from
Nov 18, 2020
Merged

Backport of client: fix interpolation in template source #9383 #9391

merged 3 commits into from
Nov 18, 2020

Commits on Nov 18, 2020

  1. client: fix interpolation in template source 

    While Nomad v0.12.8 fixed `NOMAD_{ALLOC,TASK,SECRETS}_DIR` use in
`template.destination`, interpolating these variables in
`template.source` caused a path escape error.

**Why not apply the destination fix to source?**

The destination fix forces destination to always be relative to the task
directory. This makes sense for the destination as a destination outside
the task directory would be unreachable by the task. There's no reason
to ever render a template outside the task directory. (Using `..` does
allow destinations to escape the task directory if
`template.disable_file_sandbox = true`. That's just awkward and unsafe
enough I hope no one uses it.)

There is a reason to source a template outside a task
directory. At least if there weren't then I can't think of why we
implemented `template.disable_file_sandbox`. So v0.12.8 left the
behavior of `template.source` the more straightforward "Interpolate and
validate."

However, since outside of `raw_exec` every other driver uses absolute
paths for `NOMAD_*_DIR` interpolation, this means those variables are
unusable unless `disable_file_sandbox` is set.

**The Fix**

The variables are now interpolated as relative paths *only for the
purpose of rendering templates.* This is an unfortunate special case,
but reflects the fact that the templates view of the filesystem is
completely different (unconstrainted) vs the task's view (chrooted).
Arguably the values of these variables *should be context-specific.*
I think it's more reasonable to think of the "hack" as templating
running uncontainerized than that giving templates different paths is a
hack.

**TODO**

- [ ] E2E tests
- [ ] Job validation may still be broken and prevent my fix from
      working?

**raw_exec**

`raw_exec` is actually broken _a different way_ as exercised by tests in
this commit. I think we should probably remove these tests and fix that
in a followup PR/release, but I wanted to leave them in for the initial
review and discussion. Since non-containerized source paths are broken
anyway, perhaps there's another solution to this entire problem I'm
overlooking?
    @schmichael
    schmichael committed Nov 18, 2020
    Configuration menu
    Copy the full SHA
    c920d03 View commit details
    Browse the repository at this point in the history

  2. client: skip broken test and fix assertion

    @schmichael
    schmichael committed Nov 18, 2020
    Configuration menu
    Copy the full SHA
    50cdc21 View commit details
    Browse the repository at this point in the history

  3. docs: add 0.12.9 relase with #9391 backport

    @schmichael
    schmichael committed Nov 18, 2020
    Configuration menu
    Copy the full SHA
    347f2f6 View commit details
    Browse the repository at this point in the history