nomad 0.5.5 segfault with vault enable=true
If you have a question, prepend your issue with [question] or preferably use the nomad mailing list.
If filing a bug please include the following:
Nomad version
Nomad v0.5.5
Operating system and Environment details
$ cat /etc/issue
Debian GNU/Linux 8 \n \l
$ uname -a
Linux nomad1 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux
Issue
sigsev
Reproduction steps
vault {
enabled = true
address = "https://vault.service.consul:8200"
token = "MAGICTOKENHERE"
# Setting the create_from_role option causes Nomad to create tokens for tasks
# via the provided role. This allows the role to manage what policies are
# allowed and disallowed for use by tasks.
create_from_role = "nomad-server"
}
Nomad Server logs (if appropriate)
2017/03/15 15:49:22.573381 [INFO] server.nomad: successfully contacted 2 Nomad Servers
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0xd0fca0]
goroutine 12 [running]:
github.com/hashicorp/nomad/nomad.(vaultClient).validateRole(0xc420381380, 0xc4203e12b1, 0xc, 0xc4204b8000, 0x0)
/opt/gopath/src/github.com/hashicorp/nomad/nomad/vault.go:793 +0x290
github.com/hashicorp/nomad/nomad.(vaultClient).parseSelfToken(0xc420381380, 0xc420444001, 0x0)
/opt/gopath/src/github.com/hashicorp/nomad/nomad/vault.go:680 +0x291
github.com/hashicorp/nomad/nomad.(vaultClient).establishConnection(0xc420381380)
/opt/gopath/src/github.com/hashicorp/nomad/nomad/vault.go:437 +0x293
github.com/hashicorp/nomad/nomad.(vaultClient).(github.com/hashicorp/nomad/nomad.establishConnection)-fm()
/opt/gopath/src/github.com/hashicorp/nomad/nomad/vault.go:259 +0x2a
github.com/hashicorp/nomad/nomad.wrapNilError.func1(0x0, 0x0)
/opt/gopath/src/github.com/hashicorp/nomad/nomad/vault.go:1178 +0x24
github.com/hashicorp/nomad/vendor/gopkg.in/tomb%2ev2.(Tomb).run(0xc4204031d0, 0xc420413380)
/opt/gopath/src/github.com/hashicorp/nomad/vendor/gopkg.in/tomb.v2/tomb.go:153 +0x2b
created by github.com/hashicorp/nomad/vendor/gopkg.in/tomb%2ev2.(Tomb).Go
/opt/gopath/src/github.com/hashicorp/nomad/vendor/gopkg.in/tomb.v2/tomb.go:149 +0xd2
Nomad Client logs (if appropriate)
Job file (if appropriate)
csawyerYumaed
All 9 comments
with vault { enabled=false }, it starts up fine.
csawyerYumaed
on 15 Mar 2017
@csawyerYumaed Just verified! It crashes if that role doesn't exist! If you create the role it should work.
dadgar
on 15 Mar 2017
I used to use a root token, but according to the 0.5.5 changelog, root tokens aren't allowed anymore, so I'm using the instructions provided via the docs..
curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L
vault policy-write nomad-server nomad-server-policy.hcl
vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.json
vault token-create -policy nomad-server -period 72h
csawyerYumaed
on 16 Mar 2017
@csawyerYumaed Change create_from_role = "nomad-server" to create_from_role = "nomad-cluster"
I see the docs that confused you (https://www.nomadproject.io/docs/agent/configuration/vault.html). Will update the website.
dadgar
on 16 Mar 2017
yup, sorry! I should have caught that. Fixed, and it starts now! :)
csawyerYumaed
on 16 Mar 2017
@csawyerYumaed Website is updated! Sorry about that!
dadgar
on 16 Mar 2017
Oh also @dadgar , if yo udon't allow root tokens, the website should probably be updated to not mention root tokens anymore.
csawyerYumaed
on 16 Mar 2017
@csawyerYumaed Root tokens are still allowed. What has changed is that tasks can't ask for a root token.
https://www.nomadproject.io/docs/vault-integration/index.html#root-token-integration
dadgar
on 16 Mar 2017
AH! I misunderstood that, and went to all this trouble to not use a root token for nomad master. Oh well, probably better for me anyways! Thanks for "forcing" me to be more secure, HAHA :)
csawyerYumaed
on 16 Mar 2017
Related issues
leowmjw
路
3Comments
clinta
路
3Comments
jrasell
路
3Comments
stongo
路
3Comments
hynek
路
3Comments