Nomad: exec driver: folder permissions in chroot env lack execute permissions
Nomad version
Nomad v0.4.1
Nomad v0.5.0-rc1 ('a8c8199e413d387021a15d7a1400c8b8372124d6+CHANGES')
Operating system and Environment details
Linux. Tested on Fedora 24 and CoreOS Stable 1123
Issue
If the chroot_env configuration maps an individual file, the containing folder in the chroot environment lacks execute permissions.
Reproduction steps
- create nomad.conf containing:
data_dir = "/var/lib/nomad"
log_level = "DEBUG"
client {
chroot_env {
"/etc/resolv.conf" = "/etc/resolv.conf"
}
}
- Run Nomad agent
nomad agent -dev -config=nomad.conf - Run an exec type job, e.g.
nomad run helloword.nomad - Inspect alloc folder
nomad fs <alloc-id> helloworld - etc folder lacks execute permissions
> Mode Size Modified Time Name
> drwxrwxrwx 4.0 KiB 11/02/16 14:04:18 CET alloc/
> drwxr-xr-x 4.2 KiB 11/02/16 08:46:32 CET dev/
> drw-r--r-- 4.0 KiB 11/02/16 14:04:43 CET etc/
> ....
Nomad Server logs (if appropriate)
don't provide any details
Nomad Client logs (if appropriate)
don't provide any details
Job file (if appropriate)
Any exec job will do. Helloword.nomad (0.4.1 version):
job "helloworld" {
datacenters = ["dc1"]
type = "service"
update {
stagger = "5s"
max_parallel = 1
}
group "helloworld" {
count = 1
task "helloworld" {
driver = "exec"
config {
command = "helloworld"
}
artifact {
source = "https://storage.googleapis.com/global-datacenter-eu/helloworld/helloworld"
options {
checksum = "sha256:ee4751f7b17775e0d34514f0a00b9e92b39a8b859fc00d8e2f69e5aa6cceea4e"
}
}
resources {
cpu = 100
disk = 200
memory = 64
network {
mbits = 1
port "http" {}
}
}
service {
name = "helloworld"
tags = ["urlprefix-helloworld.gce.nauts.io/"]
port = "http"
check {
type = "http"
name = "health"
interval = "15s"
timeout = "5s"
path = "/health"
}
}
}
}
}
bastiaanb
All 5 comments
Hey we mount with the same permissions as the host. Further we attempt to make the binary specified executable if it is not.
dadgar
on 2 Nov 2016
Ha Alex, the isssue is not with file itself, but the containing folder, /etc in this case.
bastiaanb
on 2 Nov 2016
Is the permission of the folder different in the chroot than on the host?
dadgar
on 3 Nov 2016
I have also seen this issue. I guess its due to this line https://github.com/hashicorp/nomad/blob/master/client/allocdir/alloc_dir.go#L317
os.MkdirAll is using permissions of particular file (/etc/resolve.conf) which are set for containing directories as well. So permissions on /etc/resolv.conf will also be used for containing dir 'etc' which leads to 'etc' having incorect permissions ( lacking execute )
devendram
on 3 Nov 2016
@devendram Thanks for pointing that out. Will get this fixed soon
dadgar
on 7 Nov 2016
Related issues
ashald
路
3Comments
byronwolfman
路
3Comments
jippi
路
3Comments
DanielDent
路
3Comments
mlafeldt
路
3Comments
Most helpful comment
I have also seen this issue. I guess its due to this line https://github.com/hashicorp/nomad/blob/master/client/allocdir/alloc_dir.go#L317
os.MkdirAll is using permissions of particular file (/etc/resolve.conf) which are set for containing directories as well. So permissions on /etc/resolv.conf will also be used for containing dir 'etc' which leads to 'etc' having incorect permissions ( lacking execute )