consul: allow non-root Nomad to rewrite token

When a task restarts, the Nomad client may need to rewrite the Consul token, but it's created with permissions that prevent a non-root agent from writing to it. While Nomad clients should be run as root (currently), it's harmless to allow whatever user the Nomad agent is running as to be able to write to it, and that's one less barrier to rootless Nomad. Ref: #23859 (comment)
hashicorp · Nov 8, 2024 · 0a369ec · 0a369ec
1 parent 0714353
commit 0a369ec
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/.changelog/24410.txt b/.changelog/24410.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart
+```
diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go
@@ -25,7 +25,7 @@ const (
 
 	// consulTokenFilePerms is the level of file permissions granted on the file in
 	// the secrets directory for the task
-	consulTokenFilePerms = 0440
+	consulTokenFilePerms = 0640
 )
 
 type consulHook struct {