From 752b9ab207dfd6fa7072600e3be665d684e8b34b Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Sun, 12 Jun 2016 12:57:35 +0200 Subject: [PATCH 1/3] Removing artifact check for java and qemu drivers --- nomad/structs/structs.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go index ba476fe9775..1f71ad0fc24 100644 --- a/nomad/structs/structs.go +++ b/nomad/structs/structs.go @@ -1849,13 +1849,6 @@ func (t *Task) Validate() error { } } - // If the driver is java or qemu ensure that they have specified an - // artifact. - if (t.Driver == "qemu" || t.Driver == "java") && len(t.Artifacts) == 0 { - err := fmt.Errorf("must specify at least one artifact when using %q driver", t.Driver) - mErr.Errors = append(mErr.Errors, err) - } - return mErr.ErrorOrNil() } From 12f3da9ad4bc41457de6d06116a8f41a20ce3e01 Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Sun, 12 Jun 2016 13:54:30 +0200 Subject: [PATCH 2/3] Not converting the abs path relative to task dir for drivers which enforce FS isolation only in linux --- client/driver/executor/executor.go | 42 +++++++++--------------- client/driver/executor/executor_linux.go | 6 ++++ 2 files changed, 21 insertions(+), 27 deletions(-) diff --git a/client/driver/executor/executor.go b/client/driver/executor/executor.go index 8644b5aa049..59cc29eafb6 100644 --- a/client/driver/executor/executor.go +++ b/client/driver/executor/executor.go @@ -230,17 +230,6 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext e.ctx = ctx e.command = command - // configuring the task dir - if err := e.configureTaskDir(); err != nil { - return nil, err - } - - // configuring the chroot, cgroup and enters the plugin process in the - // chroot - if err := e.configureIsolation(); err != nil { - return nil, err - } - // setting the user of the process if command.User != "" { e.logger.Printf("[DEBUG] executor: running command as %s", command.User) @@ -249,15 +238,12 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext } } - // Setup the loggers - if err := e.configureLoggers(); err != nil { + // configuring the task dir + if err := e.configureTaskDir(); err != nil { return nil, err } - e.cmd.Stdout = e.lro - e.cmd.Stderr = e.lre e.ctx.TaskEnv.Build() - // Look up the binary path and make it executable absPath, err := e.lookupBin(ctx.TaskEnv.ReplaceEnv(command.Cmd)) if err != nil { @@ -268,19 +254,14 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext return nil, err } - // Determine the path to run as it may have to be relative to the chroot. - path := absPath - if e.command.FSIsolation { - rel, err := filepath.Rel(e.taskDir, absPath) - if err != nil { - return nil, err - } - path = rel + e.cmd.Path = absPath + // configuring the chroot, cgroup and enters the plugin process in the + // chroot + if err := e.configureIsolation(); err != nil { + return nil, err } - // Set the commands arguments - e.cmd.Path = path - e.cmd.Args = append([]string{path}, ctx.TaskEnv.ParseAndReplace(command.Args)...) + e.cmd.Args = append([]string{e.cmd.Path}, ctx.TaskEnv.ParseAndReplace(command.Args)...) e.cmd.Env = ctx.TaskEnv.EnvList() // Apply ourselves into the cgroup. The executor MUST be in the cgroup @@ -290,6 +271,13 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext return nil, err } + // Setup the loggers + if err := e.configureLoggers(); err != nil { + return nil, err + } + e.cmd.Stdout = e.lro + e.cmd.Stderr = e.lre + // Start the process if err := e.cmd.Start(); err != nil { return nil, err diff --git a/client/driver/executor/executor_linux.go b/client/driver/executor/executor_linux.go index 812d1a0017e..087594ae2c3 100644 --- a/client/driver/executor/executor_linux.go +++ b/client/driver/executor/executor_linux.go @@ -247,6 +247,12 @@ func (e *UniversalExecutor) configureChroot() error { return err } + rel, err := filepath.Rel(e.taskDir, e.cmd.Path) + if err != nil { + return err + } + e.cmd.Path = rel + return nil } From f795e215b4074e7a40574617866d98337d51127f Mon Sep 17 00:00:00 2001 From: Diptanu Choudhury Date: Sun, 12 Jun 2016 15:41:31 +0200 Subject: [PATCH 3/3] Setting a flag to indicate whether fs isolation is indeed happening --- client/driver/executor/executor.go | 52 +++++++++++++++--------- client/driver/executor/executor_linux.go | 7 +--- 2 files changed, 33 insertions(+), 26 deletions(-) diff --git a/client/driver/executor/executor.go b/client/driver/executor/executor.go index 59cc29eafb6..1bb028213f3 100644 --- a/client/driver/executor/executor.go +++ b/client/driver/executor/executor.go @@ -176,11 +176,12 @@ type UniversalExecutor struct { ctx *ExecutorContext command *ExecCommand - pids map[int]*nomadPid - pidLock sync.RWMutex - taskDir string - exitState *ProcessState - processExited chan interface{} + pids map[int]*nomadPid + pidLock sync.RWMutex + taskDir string + exitState *ProcessState + processExited chan interface{} + fsIsolationEnforced bool lre *logging.FileRotator lro *logging.FileRotator @@ -244,26 +245,11 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext } e.ctx.TaskEnv.Build() - // Look up the binary path and make it executable - absPath, err := e.lookupBin(ctx.TaskEnv.ReplaceEnv(command.Cmd)) - if err != nil { - return nil, err - } - - if err := e.makeExecutable(absPath); err != nil { - return nil, err - } - - e.cmd.Path = absPath // configuring the chroot, cgroup and enters the plugin process in the // chroot if err := e.configureIsolation(); err != nil { return nil, err } - // Set the commands arguments - e.cmd.Args = append([]string{e.cmd.Path}, ctx.TaskEnv.ParseAndReplace(command.Args)...) - e.cmd.Env = ctx.TaskEnv.EnvList() - // Apply ourselves into the cgroup. The executor MUST be in the cgroup // before the user task is started, otherwise we are subject to a fork // attack in which a process escapes isolation by immediately forking. @@ -278,6 +264,32 @@ func (e *UniversalExecutor) LaunchCmd(command *ExecCommand, ctx *ExecutorContext e.cmd.Stdout = e.lro e.cmd.Stderr = e.lre + // Look up the binary path and make it executable + absPath, err := e.lookupBin(ctx.TaskEnv.ReplaceEnv(command.Cmd)) + if err != nil { + return nil, err + } + + if err := e.makeExecutable(absPath); err != nil { + return nil, err + } + + path := absPath + + // Determine the path to run as it may have to be relative to the chroot. + if e.fsIsolationEnforced { + rel, err := filepath.Rel(e.taskDir, path) + if err != nil { + return nil, err + } + path = rel + } + + // Set the commands arguments + e.cmd.Path = path + e.cmd.Args = append([]string{e.cmd.Path}, ctx.TaskEnv.ParseAndReplace(command.Args)...) + e.cmd.Env = ctx.TaskEnv.EnvList() + // Start the process if err := e.cmd.Start(); err != nil { return nil, err diff --git a/client/driver/executor/executor_linux.go b/client/driver/executor/executor_linux.go index 087594ae2c3..1140e3005c7 100644 --- a/client/driver/executor/executor_linux.go +++ b/client/driver/executor/executor_linux.go @@ -247,12 +247,7 @@ func (e *UniversalExecutor) configureChroot() error { return err } - rel, err := filepath.Rel(e.taskDir, e.cmd.Path) - if err != nil { - return err - } - e.cmd.Path = rel - + e.fsIsolationEnforced = true return nil }