Skip to content
GitLab
Switch branch/tag
This project is mirrored from https://gitee.com/mirrors/nomad.git. Pull mirroring failed .
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer.
  1. 21 Sep, 2022 1 commit
    • Seth Hoenig's avatar
      cleanup more helper updates (#14638) · ff1a30fe
      Seth Hoenig authored 
      * cleanup: refactor MapStringStringSliceValueSet to be cleaner

* cleanup: replace SliceStringToSet with actual set

* cleanup: replace SliceStringSubset with real set

* cleanup: replace SliceStringContains with slices.Contains

* cleanup: remove unused function SliceStringHasPrefix

* cleanup: fixup StringHasPrefixInSlice doc string

* cleanup: refactor SliceSetDisjoint to use real set

* cleanup: replace CompareSliceSetString with SliceSetEq

* cleanup: replace CompareMapStringString with maps.Equal

* cleanup: replace CopyMapStringString with CopyMap

* cleanup: replace CopyMapStringInterface with CopyMap

* cleanup: fixup more CopyMapStringString and CopyMapStringInt

* cleanup: replace CopySliceString with slices.Clone

* cleanup: remove unused CopySliceInt

* cleanup: refactor CopyMapStringSliceString to be generic as CopyMapOfSlice

* cleanup: replace CopyMap with maps.Clone

* cleanup: run go mod tidy
      ff1a30fe
  3. 09 Sep, 2022 1 commit
  5. 01 Sep, 2022 2 commits
  7. 30 Aug, 2022 2 commits
    • Charlie Voiselle's avatar
      Vars: Update CT dependency to support variables. (#14399) · 015e4617
      Charlie Voiselle authored 
      * Update Consul Template dep to support Nomad vars

* Remove `Peering` config for Consul Testservers
Upgrading to the 1.14 Consul SDK introduces and additional default
configuration—`Peering`—that is not compatible with versions of Consul
before v1.13.0. because Nomad tests against Consul v1.11.1, this
configuration has to be nil'ed out before passing it to the Consul
binary.
      015e4617
    • Tim Gross's avatar
      keyring: wrap root key in key encryption key (#14388) · b7fea76f
      Tim Gross authored 
      Update the on-disk format for the root key so that it's wrapped with a unique
per-key/per-server key encryption key. This is a bit of security theatre for the
current implementation, but it uses `go-kms-wrapping` as the interface for
wrapping the key. This provides a shim for future support of external KMS such
as cloud provider APIs or Vault transit encryption.

* Removes the JSON serialization extension we had on the `RootKey` struct; this
  struct is now only used for key replication and not for disk serialization, so
  we don't need this helper.

* Creates a helper for generating cryptographically random slices of bytes that
  properly accounts for short reads from the source.

* No observable functional changes outside of the on-disk format, so there are
  no test updates.
      b7fea76f
  9. 29 Aug, 2022 1 commit
  11. 26 Aug, 2022 3 commits
  13. 25 Aug, 2022 1 commit
  15. 24 Aug, 2022 2 commits
  17. 17 Aug, 2022 1 commit
  19. 15 Aug, 2022 5 commits
  21. 14 Aug, 2022 1 commit
  23. 08 Aug, 2022 2 commits
  25. 05 Aug, 2022 1 commit
  27. 04 Aug, 2022 2 commits
    • Seth Hoenig's avatar
      deps: update opencontainers/runc to v1.1.3 · 6d9e1793
      Seth Hoenig authored
      6d9e1793
    • Luiz Aoqui's avatar
      qemu: reduce monitor socket path (#13971) · e1ae7bf7
      Luiz Aoqui authored 
      The QEMU driver can take an optional `graceful_shutdown` configuration
which will create a Unix socket to send ACPI shutdown signal to the VM.

Unix sockets have a hard length limit and the driver implementation
assumed that QEMU versions 2.10.1 were able to handle longer paths. This
is not correct, the linked QEMU fix only changed the behaviour from
silently truncating longer socket paths to throwing an error.

By validating the socket path before starting the QEMU machine we can
provide users a more actionable and meaningful error message, and by
using a shorter socket file name we leave a bit more room for
user-defined values in the path, such as the task name.

The maximum length allowed is also platform-dependant, so validation
needs to be different for each OS.
      e1ae7bf7
  29. 03 Aug, 2022 1 commit
  31. 01 Aug, 2022 2 commits
  33. 20 Jul, 2022 1 commit
  35. 13 Jul, 2022 1 commit
  37. 12 Jul, 2022 3 commits
  39. 11 Jul, 2022 2 commits
    • Tim Gross's avatar
      workload identity (#13223) · d3e9b9ac
      Tim Gross authored 
      In order to support implicit ACL policies for tasks to get their own
secrets, each task would need to have its own ACL token. This would
add extra raft overhead as well as new garbage collection jobs for
cleaning up task-specific ACL tokens. Instead, Nomad will create a
workload Identity Claim for each task.

An Identity Claim is a JSON Web Token (JWT) signed by the server’s
private key and attached to an Allocation at the time a plan is
applied. The encoded JWT can be submitted as the X-Nomad-Token header
to replace ACL token secret IDs for the RPCs that support identity
claims.

Whenever a key is is added to a server’s keyring, it will use the key
as the seed for a Ed25519 public-private private keypair. That keypair
will be used for signing the JWT and for verifying the JWT.

This implementation is a ruthlessly minimal approach to support the
secure variables feature. When a JWT is verified, the allocation ID
will be checked against the Nomad state store, and non-existent or
terminal allocation IDs will cause the validation to be rejected. This
is sufficient to support the secure variables feature at launch
without requiring implementation of a background process to renew
soon-to-expire tokens.
      d3e9b9ac
    • Charlie Voiselle's avatar
      Provide mock secure variables implementation (#12980) · 15d6dde2
      Charlie Voiselle authored 
      * Add SecureVariable mock
* Add SecureVariableStub
* Add SecureVariable Copy and Stub funcs
      15d6dde2
  41. 06 Jul, 2022 1 commit
  43. 01 Jul, 2022 1 commit
  45. 25 Jun, 2022 1 commit
    • Seth Hoenig's avatar
      api: enable selecting subset of services using rendezvous hashing · bdead318
      Seth Hoenig authored 
      This PR adds the 'choose' query parameter to the '/v1/service/<service>' endpoint.

The value of 'choose' is in the form '<number>|<key>', number is the number
of desired services and key is a value unique but consistent to the requester
(e.g. allocID).

Folks aren't really expected to use this API directly, but rather through consul-template
which will soon be getting a new helper function making use of this query parameter.

Example,

curl 'localhost:4646/v1/service/redis?choose=2|abc123'

Note: consul-templte v0.29.1 includes the necessary nomadServices functionality.
      bdead318
  47. 24 Jun, 2022 1 commit
  49. 09 Jun, 2022 1 commit
    • Seth Hoenig's avatar
      helpers: provide a few generic helper functions · 109f25fe
      Seth Hoenig authored 
      This PR deprecates some functions in favor of generic alternatives.

The new functions are compatible only with Nomad v1.4+.

The old functions (nor their use) should not be removed until Nomad v1.6+.
      109f25fe

免费DevSecOps平台,让您的项目体验完整的DevSecOps流程,让项目更安全