Skip to content
GitLab
Switch branch/tag
This project is mirrored from https://gitee.com/mirrors/nomad.git. Pull mirroring failed .
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer.
  1. 12 Jul, 2022 3 commits
  3. 11 Jul, 2022 2 commits
    • Tim Gross's avatar
      workload identity (#13223) · d3e9b9ac
      Tim Gross authored 
      In order to support implicit ACL policies for tasks to get their own
secrets, each task would need to have its own ACL token. This would
add extra raft overhead as well as new garbage collection jobs for
cleaning up task-specific ACL tokens. Instead, Nomad will create a
workload Identity Claim for each task.

An Identity Claim is a JSON Web Token (JWT) signed by the server’s
private key and attached to an Allocation at the time a plan is
applied. The encoded JWT can be submitted as the X-Nomad-Token header
to replace ACL token secret IDs for the RPCs that support identity
claims.

Whenever a key is is added to a server’s keyring, it will use the key
as the seed for a Ed25519 public-private private keypair. That keypair
will be used for signing the JWT and for verifying the JWT.

This implementation is a ruthlessly minimal approach to support the
secure variables feature. When a JWT is verified, the allocation ID
will be checked against the Nomad state store, and non-existent...
      d3e9b9ac
    • Charlie Voiselle's avatar
      Provide mock secure variables implementation (#12980) · 15d6dde2
      Charlie Voiselle authored 
      * Add SecureVariable mock
* Add SecureVariableStub
* Add SecureVariable Copy and Stub funcs
      15d6dde2
  5. 06 Jul, 2022 1 commit
  7. 01 Jul, 2022 1 commit
  9. 25 Jun, 2022 1 commit
    • Seth Hoenig's avatar
      api: enable selecting subset of services using rendezvous hashing · bdead318
      Seth Hoenig authored 
      This PR adds the 'choose' query parameter to the '/v1/service/<service>' endpoint.

The value of 'choose' is in the form '<number>|<key>', number is the number
of desired services and key is a value unique but consistent to the requester
(e.g. allocID).

Folks aren't really expected to use this API directly, but rather through consul-template
which will soon be getting a new helper function making use of this query parameter.

Example,

curl 'localhost:4646/v1/service/redis?choose=2|abc123'

Note: consul-templte v0.29.1 includes the necessary nomadServices functionality.
      bdead318
  11. 24 Jun, 2022 1 commit
  13. 09 Jun, 2022 1 commit
    • Seth Hoenig's avatar
      helpers: provide a few generic helper functions · 109f25fe
      Seth Hoenig authored 
      This PR deprecates some functions in favor of generic alternatives.

The new functions are compatible only with Nomad v1.4+.

The old functions (nor their use) should not be removed until Nomad v1.6+.
      109f25fe
  15. 02 Jun, 2022 1 commit
  17. 31 May, 2022 1 commit
  19. 25 May, 2022 1 commit
  21. 24 May, 2022 1 commit
    • Michael Schurter's avatar
      artifact: fix numerous go-getter security issues · 39685098
      Michael Schurter authored 
      Fix numerous go-getter security issues:

- Add timeouts to http, git, and hg operations to prevent DoS
- Add size limit to http to prevent resource exhaustion
- Disable following symlinks in both artifacts and `job run`
- Stop performing initial HEAD request to avoid file corruption on
  retries and DoS opportunities.

**Approach**

Since Nomad has no ability to differentiate a DoS-via-large-artifact vs
a legitimate workload, all of the new limits are configurable at the
client agent level.

The max size of HTTP downloads is also exposed as a node attribute so
that if some workloads have large artifacts they can specify a high
limit in their jobspecs.

In the future all of this plumbing could be extended to enable/disable
specific getters or artifact downloading entirely on a per-node basis.
      39685098
  23. 22 Apr, 2022 1 commit
  25. 06 Apr, 2022 1 commit
  27. 05 Apr, 2022 1 commit
    • Luiz Aoqui's avatar
      Support Vault entity aliases (#12449) · d412f7b4
      Luiz Aoqui authored 
      Move some common Vault API data struct decoding out of the Vault client
so it can be reused in other situations.

Make Vault job validation its own function so it's easier to expand it.

Rename the `Job.VaultPolicies` method to just `Job.Vault` since it
returns the full Vault block, not just their policies.

Set `ChangeMode` on `Vault.Canonicalize`.

Add some missing tests.

Allows specifying an entity alias that will be used by Nomad when
deriving the task Vault token.

An entity alias assigns an indentity to a token, allowing better control
and management of Vault clients since all tokens with the same indentity
alias will now be considered the same client. This helps track Nomad
activity in Vault's audit logs and better control over Vault billing.

Add support for a new Nomad server configuration to define a default
entity alias to be used when deriving Vault tokens. This default value
will be used if the task doesn't have an entity alias defined.
      d412f7b4
  29. 04 Apr, 2022 1 commit
  31. 29 Mar, 2022 2 commits
  33. 23 Mar, 2022 2 commits
    • dependabot[bot]'s avatar
      build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#12306) · 8cc81219
      dependabot[bot] authored
      8cc81219
    • Seth Hoenig's avatar
      client: enable support for cgroups v2 · 5da1a31e
      Seth Hoenig authored 
      This PR introduces support for using Nomad on systems with cgroups v2 [1]
enabled as the cgroups controller mounted on /sys/fs/cgroups. Newer Linux
distros like Ubuntu 21.10 are shipping with cgroups v2 only, causing problems
for Nomad users.

Nomad mostly "just works" with cgroups v2 due to the indirection via libcontainer,
but not so for managing cpuset cgroups. Before, Nomad has been making use of
a feature in v1 where a PID could be a member of more than one cgroup. In v2
this is no longer possible, and so the logic around computing cpuset values
must be modified. When Nomad detects v2, it manages cpuset values in-process,
rather than making use of cgroup heirarchy inheritence via shared/reserved
parents.

Nomad will only activate the v2 logic when it detects cgroups2 is mounted at
/sys/fs/cgroups. This means on systems running in hybrid mode with cgroups2
mounted at /sys/fs/cgroups/unified (as is typical) Nomad will continue to
use the v1 logic, and should operat...
      5da1a31e
  35. 24 Feb, 2022 2 commits
  37. 23 Feb, 2022 1 commit
  39. 17 Feb, 2022 1 commit
  41. 16 Feb, 2022 1 commit
  43. 03 Feb, 2022 2 commits
  45. 31 Jan, 2022 1 commit
    • Seth Hoenig's avatar
      deps: import libtime the normal way · 97176a56
      Seth Hoenig authored 
      Previously we copied this library by hand to avoid vendor-ing a bunch of
files related to minimock. Now that we no longer vendor, just import the
library normally.

Also we might use more of the library for handling `time.After` uses,
for which this library provides a Context-based solution.
      97176a56
  47. 27 Jan, 2022 1 commit
  49. 25 Jan, 2022 1 commit
  51. 24 Jan, 2022 3 commits
  53. 19 Jan, 2022 3 commits
  55. 18 Jan, 2022 1 commit
  57. 13 Jan, 2022 1 commit

免费DevSecOps平台,让您的项目体验完整的DevSecOps流程,让项目更安全