Nomad: [feature]: Enable specifying user/group permissions in the template stanza

Created on 18 Dec 2018  路  7Comments  路  Source: hashicorp/nomad

It would be great to have user and group parameters to the template stanza. This would allow us to trim down the perms of templates handling secrets to just the user/group of the user running in the container.

Use case: We have few jobs running the docker driver and we are injecting a few config files using the template stanza with secrets from Vault. Right now we have to set perms = 444 in order to allow the task to read the rendered template. From a security standpoint, this is not optimal since 444 allows anyone to read the file. So, being able to specify an user/group combination in the template stanza would make things simpler since Nomad always create the templates with user and group = root.

Having to do manual steps on a docker entrypoint script to achieve that is ugly IMO.

This is related to #2091

staggood first issue themconsul-template typenhancement
Source
picture danlsgiga
👍8

Most helpful comment

Hey , I would like to work on this issue , could someone give me any idea on where to start from ?

picture AbhilashBalaji on 16 Aug 2020
👍6

All 7 comments

@danlsgiga could you not set perms=400 to restrict it to just the owner?

preetapan picture preetapan on 3 Jan 2019

@preetapan not really! The template is created with user / group set to root and I run my container using nobody / nobody (best practices heh!). Setting perms = 400 (Tried that and didn't work) will make the file readable by root only.

danlsgiga picture danlsgiga on 3 Jan 2019

Another use case here is certain software (eg PostgreSQL) enforces certain permissions for files like TLS keys and being able to get things working under Nomad can be problematic.

Using the docker executor template files are written as root but in the container we don't know what user we're running as, although it probably shouldn't be root. Postgres enforces that key files are 0400 (or 0640) if owned by root so I've had to build a new image with postgres in the root group in make things work.

Adding simple options to set file ownership to uids would solve this

ccakes picture ccakes on 26 Sep 2019
👍1

Any update on this issue?

peimanja picture peimanja on 9 Jan 2020

Hi @peimanja. Sorry we don't have an update on this. I've made sure to put it onto our backlog for discussion though.

tgross picture tgross on 10 Jan 2020
👍1

Hey , I would like to work on this issue , could someone give me any idea on where to start from ?

AbhilashBalaji picture AbhilashBalaji on 16 Aug 2020
👍6

Would adding extra checks here make a feasible solution

AbhilashBalaji picture AbhilashBalaji on 16 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Smuerdt picture Smuerdt  路  3Comments
hamann picture hamann  路  3Comments
jippi picture jippi  路  3Comments
dvusboy picture dvusboy  路  3Comments
bdclark picture bdclark  路  3Comments