Nomad: [question] howto set file owner/permission after artifact is downloaded?
Nomad version
Nomad v0.5.6
Operating system and Environment details
CentOS 7/Ubuntu 16.04
Issue
Using this as reference:
https://www.nomadproject.io/docs/job-specification/artifact.html
I also tried: https://github.com/hashicorp/go-getter
How can I set file permissions to the downloaded artifact?
For security reason, I would like to set 0600 on the downloaded artifact file, before my application can use it.
I hope I am missing some simple configuration option for the artifact 馃檨
As an extension, is it possible to set ownership on the downloaded file.
I don't need owner settings immediately, though it could come in handy later (I think)
Thanks and Regards,
Shantanu
shantanugadgil
All 17 comments
@shantanugadgil No there currently isn't. I have file an issue for go-getter to add support for that. When that comes we can add it to the job file.
For now you will have to wrap your task in a script that sets the permissions and then runs the app.
dadgar
on 8 May 2017
@dadgar any updates on this?
Regards,
Shantanu
shantanugadgil
on 5 Jul 2017
I had an issue trying to run tomcat inside a java driver job. As the downloaded war was inside /local/apps tomcat couldn't deploy it. I have made /local the directory and it now works but it would be great to be able to set ownership and permissions. Will follow up on the go-getter issue.
rafaelpirolla
on 29 Nov 2018
Any chance of this making into 0.9.0 ?
shantanugadgil
on 12 Dec 2018
For anyone else waiting on a proper fix here, my current workaround is to execute bash directly and pass it a script that sets the executable bit first:
config {
command = "bash"
args = ["-c", "chmod +x local/app && exec local/app"]
}
dradtke
on 5 Mar 2019
Nowadays what I do is put all the "shell logic" inside a script and just execute that script as the command.
Usually the last line of the script is the actual app to run! :smile:
shantanugadgil
on 7 May 2019
I used the method suggested by @dradtke which worked fine until I upgraded to Nomad 0.9.2 yesterday and now I'm getting these in the stderr log.
chmod: changing permissions of 'local/my-bin': Operation not permitted
EDIT: I guess this is related to #5728 - using an artifact {} stanza to place the file leaves it owned by root:root so then during the job execution, nobody isn't able to chmod the file.
The nicest solution for this is for the artifact {} stanza to set permissions however a hacky solution is to cp the binary so it's owned by nobody, then chmod that...
ccakes
on 12 Jun 2019
Another workaround for permissions is to package the file in a tar or zip archive with the correct permissions, and then to use the files in /local. Permissions are preserved when decompressing.
langmartin
on 28 Aug 2019
yup, hit the same wall here. .tar.gz file is decompressed and all the files permissions are set to root.
danlsgiga
on 3 Mar 2020
The milestone changed to unscheduled 馃槩 ???
I know permissions do not make sense for 'all extracted file of an archive',
but at least make this possible for single file downloads.
For example if I am downloading a binary, I have to ensure that its executable.
If not, how about adding an example of a template block in the docs of the artifact stanza, for anyone looking for the word "perm" and/or "owner"
shantanugadgil
on 13 Mar 2020
The milestone changed to unscheduled
No worries, that just means we don't have a specific release to slot this into yet, not that we're never going to tackle it.
tgross
on 13 Mar 2020
We just hit this also.
raypettersen
on 10 Apr 2020
Frustratingly, also just hit this issue, file permissions not retained after decompression, I am not sure how the "exec" driver would ever be useful without the right permissions (especially as it defaults to "nobody")
HarryHarcourt
on 10 Jun 2020
Same here. tarball doesn't solve: permissions are still set to root also after decompressing.
pdumon
on 24 Jun 2020
combined with the artifact stanza to download the tarball, I typically use the following boiler plate job script.
This allows me to then execute any chmod/chown commands as I please. 馃槃
job "sample" {
datacenters = ["dc1"]
type = "batch"
group "sample" {
task "sample" {
driver = "raw_exec"
template {
data = <<EOH
#!/bin/bash
set -u
id -a
hostname
env | sort
sleep 30
EOH
destination = "local/runme.bash"
}
config {
command = "/bin/bash"
args = ["-x", "local/runme.bash"]
}
}
}
}
HTH.
shantanugadgil
on 24 Jun 2020
We're using the qemu driver and artifact to specify the VM image. If I wrap the qemu commands into a raw_exec task, then I also use port_map and so forth... Tried to look into the go-getter code to see where things are going wrong but couldn't really find.
pdumon
on 26 Jun 2020
Hmmm, same here. As a work-around, I prevent artifact from extracting the archive (using archive = false) and use a template to create a small wrapper bash script that extracts the archive and then runs the application.
config {
command = "/bin/bash"
args = ["run.sh", "--my", "--real=args"]
}
template {
data = <<EOH
#!/usr/bin/env bash
cd local
tar xzf ./release.tar.gz
bin/myapp "$@"
EOH
destination = "run.sh"
perms = "755"
}
But that's still a lot of ceremony for something really simple. I expected the artifact stanza to extract my tar archive using the same user that the task uses to run. Would that work?
aflatter
on 9 Jul 2020
Related issues
DanielDent
路
3Comments
hynek
路
3Comments
funkytaco
路
3Comments
stongo
路
3Comments
jrasell
路
3Comments
Most helpful comment
Hmmm, same here. As a work-around, I prevent
artifactfrom extracting the archive (usingarchive = false) and use atemplateto create a small wrapper bash script that extracts the archive and then runs the application.But that's still a lot of ceremony for something really simple. I expected the
artifactstanza to extract my tar archive using the same user that the task uses to run. Would that work?