This project is mirrored from https://gitee.com/mirrors/nomad.git. Pull mirroring failed .
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer.
  1. 23 Jun, 2022 1 commit
  2. 24 May, 2022 1 commit
    • Michael Schurter's avatar
      artifact: fix numerous go-getter security issues · 39685098
      Michael Schurter authored
      Fix numerous go-getter security issues:
      
      - Add timeouts to http, git, and hg operations to prevent DoS
      - Add size limit to http to prevent resource exhaustion
      - Disable following symlinks in both artifacts and `job run`
      - Stop performing initial HEAD request to avoid file corruption on
        retries and DoS opportunities.
      
      **Approach**
      
      Since Nomad has no ability to differentiate a DoS-via-large-artifact vs
      a legitimate workload, all of the new limits are configurable at the
      client agent level.
      
      The max size of HTTP downloads is also exposed as a node attribute so
      that if some workloads have large artifacts they can specify a high
      limit in their jobspecs.
      
      In the future all of this plumbing could be extended to enable/disable
      specific getters or artifact downloading entirely on a per-node basis.
      39685098
  3. 09 Apr, 2022 1 commit
  4. 06 Apr, 2022 1 commit
  5. 04 Apr, 2022 1 commit
    • Seth Hoenig's avatar
      raw_exec: make raw exec driver work with cgroups v2 · be7ec8de
      Seth Hoenig authored
      This PR adds support for the raw_exec driver on systems with only cgroups v2.
      
      The raw exec driver is able to use cgroups to manage processes. This happens
      only on Linux, when exec_driver is enabled, and the no_cgroups option is not
      set. The driver uses the freezer controller to freeze processes of a task,
      issue a sigkill, then unfreeze. Previously the implementation assumed cgroups
      v1, and now it also supports cgroups v2.
      
      There is a bit of refactoring in this PR, but the fundamental design remains
      the same.
      
      Closes #12351 #12348
      be7ec8de
  6. 21 Mar, 2022 1 commit
  7. 14 Mar, 2022 1 commit
  8. 23 Feb, 2022 1 commit
  9. 19 Feb, 2022 1 commit
    • Michael Schurter's avatar
      core: remove all traces of unused protocol version · 2411d3af
      Michael Schurter authored
      Nomad inherited protocol version numbering configuration from Consul and
      Serf, but unlike those projects Nomad has never used it. Nomad's
      `protocol_version` has always been `1`.
      
      While the code is effectively unused and therefore poses no runtime
      risks to leave, I felt like removing it was best because:
      
      1. Nomad's RPC subsystem has been able to evolve extensively without
         needing to increment the version number.
      2. Nomad's HTTP API has evolved extensively without increment
         `API{Major,Minor}Version`. If we want to version the HTTP API in the
         future, I doubt this is the mechanism we would choose.
      3. The presence of the `server.protocol_version` configuration
         parameter is confusing since `server.raft_protocol` *is* an important
         parameter for operators to consider. Even more confusing is that
         there is a distinct Serf protocol version which is included in `nomad
         server members` output under the heading `Protocol`. `raft_protocol`
         is the...
      2411d3af
  10. 10 Jan, 2022 1 commit
    • Derek Strickland's avatar
      Expose Consul template configuration parameters (#11606) · 43edd0e7
      Derek Strickland authored
      
      This PR exposes the following existing`consul-template` configuration options to Nomad jobspec authors in the `{job.group.task.template}` stanza.
      
      - `wait`
      
      It also exposes the following`consul-template` configuration to Nomad operators in the `{client.template}` stanza.
      
      - `max_stale`
      - `block_query_wait`
      - `consul_retry`
      - `vault_retry` 
      - `wait` 
      
      Finally, it adds the following new Nomad-specific configuration to the `{client.template}` stanza that allows Operators to set bounds on what `jobspec` authors configure.
      
      - `wait_bounds`
      Co-authored-by: default avatarTim Gross <tgross@hashicorp.com>
      Co-authored-by: default avatarMichael Schurter <mschurter@hashicorp.com>
      43edd0e7
  11. 03 Jan, 2022 1 commit
  12. 01 Nov, 2021 1 commit
  13. 06 Oct, 2021 1 commit
    • Matt Mukerjee's avatar
      Add FailoverHeartbeatTTL to config (#11127) · 0881b942
      Matt Mukerjee authored
      FailoverHeartbeatTTL is the amount of time to wait after a server leader failure
      before considering reallocating client tasks. This TTL should be fairly long as
      the new server leader needs to rebuild the entire heartbeat map for the
      cluster. In deployments with a small number of machines, the default TTL (5m)
      may be unnecessary long. Let's allow operators to configure this value in their
      config files.
      0881b942
  14. 10 Sep, 2021 1 commit
  15. 07 Jun, 2021 1 commit
    • Seth Hoenig's avatar
      consul: probe consul namespace feature before using namespace api · 0bc8a330
      Seth Hoenig authored
      This PR changes Nomad's wrapper around the Consul NamespaceAPI so that
      it will detect if the Consul Namespaces feature is enabled before making
      a request to the Namespaces API. Namespaces are not enabled in Consul OSS,
      and require a suitable license to be used with Consul ENT.
      
      Previously Nomad would check for a 404 status code when makeing a request
      to the Namespaces API to "detect" if Consul OSS was being used. This does
      not work for Consul ENT with Namespaces disabled, which returns a 500.
      
      Now we avoid requesting the namespace API altogether if Consul is detected
      to be the OSS sku, or if the Namespaces feature is not licensed. Since
      Consul can be upgraded from OSS to ENT, or a new license applied, we cache
      the value for 1 minute, refreshing on demand if expired.
      
      Fixes https://github.com/hashicorp/nomad-enterprise/issues/575
      
      Note that the ticket originally describes using attributes from https://github.com/hashicorp/nomad/issues/10688....
      0bc8a330
  16. 04 Jun, 2021 1 commit
  17. 28 Apr, 2021 1 commit
  18. 16 Apr, 2021 1 commit
    • Seth Hoenig's avatar
      api: implement fuzzy search API · 350d9ebc
      Seth Hoenig authored
      This PR introduces the /v1/search/fuzzy API endpoint, used for fuzzy
      searching objects in Nomad. The fuzzy search endpoint routes requests
      to the Nomad Server leader, which implements the Search.FuzzySearch RPC
      method.
      
      Requests to the fuzzy search API are based on the api.FuzzySearchRequest
      object, e.g.
      
      {
        "Text": "ed",
        "Context": "all"
      }
      
      Responses from the fuzzy search API are based on the api.FuzzySearchResponse
      object, e.g.
      
      {
        "Index": 27,
        "KnownLeader": true,
        "LastContact": 0,
        "Matches": {
          "tasks": [
            {
              "ID": "redis",
              "Scope": [
                "default",
                "example",
                "cache"
              ]
            }
          ],
          "evals": [],
          "deployment": [],
          "volumes": [],
          "scaling_policy": [],
          "images": [
            {
              "ID": "redis:3.2",
              "Scope": [
                "default",
                "example",
                "cache",
                "redis"
              ]
            }
          ]
        },
        "Truncations": {
          "volumes": false,
          "scaling_policy": false,
          "evals": false,
          "deployment": false
        }
      }
      
      The API is tunable using the new server.search stanza, e.g.
      
      server {
        search {
          fuzzy_enabled   = true
          limit_query     = 200
          limit_results   = 1000
          min_term_length = 5
        }
      }
      
      These values can be increased or decreased, so as to provide more
      search results or to reduce load on the Nomad Server. The fuzzy search
      API can be disabled entirely by setting `fuzzy_enabled` to `false`.
      350d9ebc
  19. 13 Apr, 2021 2 commits
  20. 05 Apr, 2021 1 commit
  21. 31 Mar, 2021 1 commit
    • Tim Gross's avatar
      test infrastructure for mock client RPCs (#10193) · bb194cb9
      Tim Gross authored
      This commit includes a new test client that allows overriding the RPC
      protocols. Only the RPCs that are passed in are registered, which lets you
      implement a mock RPC in the server tests. This commit includes an example of
      this for the ClientCSI RPC server.
      bb194cb9
  22. 23 Mar, 2021 1 commit
  23. 22 Oct, 2020 1 commit
    • Drew Bailey's avatar
      remove event durability (#9147) · 3347b40d
      Drew Bailey authored
      * remove event durability
      
      temporarily removing go-memdb event durability until a new strategy is developed on how to best handled increased durability needs
      
      * drop events table schema and state store methods
      
      * fix neweventbuffer invocations
      3347b40d
  24. 15 Oct, 2020 1 commit
  25. 14 Oct, 2020 3 commits
  26. 13 Oct, 2020 2 commits
    • Chris Baker's avatar
    • Seth Hoenig's avatar
      consul/connect: dynamically select envoy sidecar at runtime · bdeb73cd
      Seth Hoenig authored
      As newer versions of Consul are released, the minimum version of Envoy
      it supports as a sidecar proxy also gets bumped. Starting with the upcoming
      Consul v1.9.X series, Envoy v1.11.X will no longer be supported. Current
      versions of Nomad hardcode a version of Envoy v1.11.2 to be used as the
      default implementation of Connect sidecar proxy.
      
      This PR introduces a change such that each Nomad Client will query its
      local Consul for a list of Envoy proxies that it supports (https://github.com/hashicorp/consul/pull/8545)
      and then launch the Connect sidecar proxy task using the latest supported version
      of Envoy. If the `SupportedProxies` API component is not available from
      Consul, Nomad will fallback to the old version of Envoy supported by old
      versions of Consul.
      
      Setting the meta configuration option `meta.connect.sidecar_image` or
      setting the `connect.sidecar_task` stanza will take precedence as is
      the current behavior for sidecar proxies.
      
      Setting the meta configuration option `meta.connect.gateway_image`
      will take precedence as is the current behavior for connect gateways.
      
      `meta.connect.sidecar_image` and `meta.connect.gateway_image` may make
      use of the special `${NOMAD_envoy_version}` variable interpolation, which
      resolves to the newest version of Envoy supported by the Consul agent.
      
      Addresses #8585 #7665
      bdeb73cd
  27. 01 Oct, 2020 2 commits
  28. 21 Aug, 2020 1 commit
    • Seth Hoenig's avatar
      consul/connect: add initial support for ingress gateways · 9ffdeed9
      Seth Hoenig authored
      This PR adds initial support for running Consul Connect Ingress Gateways (CIGs) in Nomad. These gateways are declared as part of a task group level service definition within the connect stanza.
      
      ```hcl
      service {
        connect {
          gateway {
            proxy {
              // envoy proxy configuration
            }
            ingress {
              // ingress-gateway configuration entry
            }
          }
        }
      }
      ```
      
      A gateway can be run in `bridge` or `host` networking mode, with the caveat that host networking necessitates manually specifying the Envoy admin listener (which cannot be disabled) via the service port value.
      
      Currently Envoy is the only supported gateway implementation in Consul, and Nomad only supports running Envoy as a gateway using the docker driver.
      
      Aims to address #8294 and tangentially #8647
      9ffdeed9
  29. 17 Jul, 2020 1 commit
  30. 08 Jul, 2020 1 commit
  31. 06 Jul, 2020 1 commit
  32. 19 Jun, 2020 1 commit
  33. 31 May, 2020 1 commit
  34. 27 May, 2020 1 commit
    • Drew Bailey's avatar
      Oss license support for ent builds (#8054) · 7fc495e3
      Drew Bailey authored
      * changes necessary to support oss licesning shims
      
      revert nomad fmt changes
      
      update test to work with enterprise changes
      
      update tests to work with new ent enforcements
      
      make check
      
      update cas test to use scheduler algorithm
      
      back out preemption changes
      
      add comments
      
      * remove unused method
      7fc495e3
  35. 11 May, 2020 1 commit
    • Tim Gross's avatar
      Periodic GC for volume claims (#7881) · 8192aa60
      Tim Gross authored
      This changeset implements a periodic garbage collection of CSI volumes
      with missing allocations. This can happen in a scenario where a node
      update fails partially and the allocation updates are written to raft
      but the evaluations to GC the volumes are dropped. This feature will
      cover this edge case and ensure that upgrades from 0.11.0 and 0.11.1
      get any stray claims cleaned up.
      8192aa60