Skip to content

Commit

Permalink
template: set default UID/GID to -1 (#13998)
Browse files Browse the repository at this point in the history 
UID/GID 0 is usually reserved for the root user/group. While Nomad
clients are expected to run as root it may not always be the case.

Setting these values as -1 if not defined will fallback to the pervious
behaviour of not attempting to set file ownership and use whatever
UID/GID the Nomad agent is running as. It will also keep backwards
compatibility, which is specially important for platforms where this
feature is not supported, like Windows.
  • Loading branch information
@lgfa29
lgfa29 authored Aug 4, 2022
1 parent 258fab1 commit a37ef39
Show file tree
Hide file tree
Showing 6 changed files with 19 additions and 17 deletions.
8 changes: 4 additions & 4 deletions api/jobs_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -765,8 +765,8 @@ func TestJobs_Canonicalize(t *testing.T) {
ChangeSignal: stringToPtr(""),
Splay: timeToPtr(5 * time.Second),
Perms: stringToPtr("0644"),
Uid: intToPtr(0),
Gid: intToPtr(0),
Uid: intToPtr(-1),
Gid: intToPtr(-1),
LeftDelim: stringToPtr("{{"),
RightDelim: stringToPtr("}}"),
Envvars: boolToPtr(false),
Expand All @@ -780,8 +780,8 @@ func TestJobs_Canonicalize(t *testing.T) {
ChangeSignal: stringToPtr(""),
Splay: timeToPtr(5 * time.Second),
Perms: stringToPtr("0644"),
Uid: intToPtr(0),
Gid: intToPtr(0),
Uid: intToPtr(-1),
Gid: intToPtr(-1),
LeftDelim: stringToPtr("{{"),
RightDelim: stringToPtr("}}"),
Envvars: boolToPtr(true),
Expand Down
4 changes: 2 additions & 2 deletions api/tasks.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -838,10 +838,10 @@ func (tmpl *Template) Canonicalize() {
tmpl.Perms = stringToPtr("0644")
}
if tmpl.Uid == nil {
tmpl.Uid = intToPtr(0)
tmpl.Uid = intToPtr(-1)
}
if tmpl.Gid == nil {
tmpl.Gid = intToPtr(0)
tmpl.Gid = intToPtr(-1)
}
if tmpl.LeftDelim == nil {
tmpl.LeftDelim = stringToPtr("{{")
Expand Down
4 changes: 2 additions & 2 deletions jobspec/parse_task.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -462,8 +462,8 @@ func parseTemplates(result *[]*api.Template, list *ast.ObjectList) error {
ChangeMode: stringToPtr("restart"),
Splay: timeToPtr(5 * time.Second),
Perms: stringToPtr("0644"),
Uid: intToPtr(0),
Gid: intToPtr(0),
Uid: intToPtr(-1),
Gid: intToPtr(-1),
}

dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
Expand Down
4 changes: 2 additions & 2 deletions jobspec/parse_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -374,8 +374,8 @@ func TestParse(t *testing.T) {
ChangeSignal: stringToPtr("foo"),
Splay: timeToPtr(10 * time.Second),
Perms: stringToPtr("0644"),
Uid: intToPtr(0),
Gid: intToPtr(0),
Uid: intToPtr(-1),
Gid: intToPtr(-1),
Envvars: boolToPtr(true),
VaultGrace: timeToPtr(33 * time.Second),
},
Expand Down
4 changes: 2 additions & 2 deletions jobspec2/parse_job.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,10 @@ func normalizeTemplates(templates []*api.Template) {
t.Perms = stringToPtr("0644")
}
if t.Uid == nil {
t.Uid = intToPtr(0)
t.Uid = intToPtr(-1)
}
if t.Gid == nil {
t.Gid = intToPtr(0)
t.Gid = intToPtr(-1)
}
if t.Splay == nil {
t.Splay = durationToPtr(5 * time.Second)
Expand Down
12 changes: 7 additions & 5 deletions website/content/docs/job-specification/template.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,19 +84,21 @@ refer to the [Learn Go Template Syntax][gt_learn] Learn guide.
- `perms` `(string: "644")` - Specifies the rendered template's permissions.
File permissions are given as octal of the Unix file permissions `rwxrwxrwx`.

- `uid` `(int: 0)` - Specifies the rendered template owner's user ID.

- `uid` `(int: -1)` - Specifies the rendered template owner's user ID. Negative
values will use the ID of the Nomad agent user.

~> **Caveat:** Works only on Unix-based systems. Be careful when using
containerized drivers, suck as `docker` or `podman`, as groups and users
inside the container may have different IDs than on the host system. This
feature will also **not** work with Docker Desktop.
feature will also **not** work with Docker Desktop.

- `gid` `(int: 0)` - Specifies the rendered template owner's group ID.
- `gid` `(int: -1)` - Specifies the rendered template owner's group ID.
Negative values will use the ID of the Nomad agent group.

~> **Caveat:** Works only on Unix-based systems. Be careful when using
containerized drivers, suck as `docker` or `podman`, as groups and users
inside the container may have different IDs than on the host system. This
feature will also **not** work with Docker Desktop.
feature will also **not** work with Docker Desktop.

- `right_delimiter` `(string: "}}")` - Specifies the right delimiter to use in the
template. The default is "}}" for some templates, it may be easier to use a
Expand Down

0 comments on commit a37ef39

Please sign in to comment.