From a37ef39b8f1ac68a91f267f1219572b8d1aaedd5 Mon Sep 17 00:00:00 2001 From: Luiz Aoqui Date: Thu, 4 Aug 2022 11:26:08 -0400 Subject: [PATCH] template: set default UID/GID to -1 (#13998) UID/GID 0 is usually reserved for the root user/group. While Nomad clients are expected to run as root it may not always be the case. Setting these values as -1 if not defined will fallback to the pervious behaviour of not attempting to set file ownership and use whatever UID/GID the Nomad agent is running as. It will also keep backwards compatibility, which is specially important for platforms where this feature is not supported, like Windows. --- api/jobs_test.go | 8 ++++---- api/tasks.go | 4 ++-- jobspec/parse_task.go | 4 ++-- jobspec/parse_test.go | 4 ++-- jobspec2/parse_job.go | 4 ++-- website/content/docs/job-specification/template.mdx | 12 +++++++----- 6 files changed, 19 insertions(+), 17 deletions(-) diff --git a/api/jobs_test.go b/api/jobs_test.go index b585a6ac9b7..ea3761fa324 100644 --- a/api/jobs_test.go +++ b/api/jobs_test.go @@ -765,8 +765,8 @@ func TestJobs_Canonicalize(t *testing.T) { ChangeSignal: stringToPtr(""), Splay: timeToPtr(5 * time.Second), Perms: stringToPtr("0644"), - Uid: intToPtr(0), - Gid: intToPtr(0), + Uid: intToPtr(-1), + Gid: intToPtr(-1), LeftDelim: stringToPtr("{{"), RightDelim: stringToPtr("}}"), Envvars: boolToPtr(false), @@ -780,8 +780,8 @@ func TestJobs_Canonicalize(t *testing.T) { ChangeSignal: stringToPtr(""), Splay: timeToPtr(5 * time.Second), Perms: stringToPtr("0644"), - Uid: intToPtr(0), - Gid: intToPtr(0), + Uid: intToPtr(-1), + Gid: intToPtr(-1), LeftDelim: stringToPtr("{{"), RightDelim: stringToPtr("}}"), Envvars: boolToPtr(true), diff --git a/api/tasks.go b/api/tasks.go index 2fc3c564394..2f677c4820d 100644 --- a/api/tasks.go +++ b/api/tasks.go @@ -838,10 +838,10 @@ func (tmpl *Template) Canonicalize() { tmpl.Perms = stringToPtr("0644") } if tmpl.Uid == nil { - tmpl.Uid = intToPtr(0) + tmpl.Uid = intToPtr(-1) } if tmpl.Gid == nil { - tmpl.Gid = intToPtr(0) + tmpl.Gid = intToPtr(-1) } if tmpl.LeftDelim == nil { tmpl.LeftDelim = stringToPtr("{{") diff --git a/jobspec/parse_task.go b/jobspec/parse_task.go index 87299146719..19bb669cc3b 100644 --- a/jobspec/parse_task.go +++ b/jobspec/parse_task.go @@ -462,8 +462,8 @@ func parseTemplates(result *[]*api.Template, list *ast.ObjectList) error { ChangeMode: stringToPtr("restart"), Splay: timeToPtr(5 * time.Second), Perms: stringToPtr("0644"), - Uid: intToPtr(0), - Gid: intToPtr(0), + Uid: intToPtr(-1), + Gid: intToPtr(-1), } dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ diff --git a/jobspec/parse_test.go b/jobspec/parse_test.go index fba7bb62c84..0d7467c1692 100644 --- a/jobspec/parse_test.go +++ b/jobspec/parse_test.go @@ -374,8 +374,8 @@ func TestParse(t *testing.T) { ChangeSignal: stringToPtr("foo"), Splay: timeToPtr(10 * time.Second), Perms: stringToPtr("0644"), - Uid: intToPtr(0), - Gid: intToPtr(0), + Uid: intToPtr(-1), + Gid: intToPtr(-1), Envvars: boolToPtr(true), VaultGrace: timeToPtr(33 * time.Second), }, diff --git a/jobspec2/parse_job.go b/jobspec2/parse_job.go index de19fe40936..25ec2381ad8 100644 --- a/jobspec2/parse_job.go +++ b/jobspec2/parse_job.go @@ -108,10 +108,10 @@ func normalizeTemplates(templates []*api.Template) { t.Perms = stringToPtr("0644") } if t.Uid == nil { - t.Uid = intToPtr(0) + t.Uid = intToPtr(-1) } if t.Gid == nil { - t.Gid = intToPtr(0) + t.Gid = intToPtr(-1) } if t.Splay == nil { t.Splay = durationToPtr(5 * time.Second) diff --git a/website/content/docs/job-specification/template.mdx b/website/content/docs/job-specification/template.mdx index 8704bce7b1c..c324f319855 100644 --- a/website/content/docs/job-specification/template.mdx +++ b/website/content/docs/job-specification/template.mdx @@ -84,19 +84,21 @@ refer to the [Learn Go Template Syntax][gt_learn] Learn guide. - `perms` `(string: "644")` - Specifies the rendered template's permissions. File permissions are given as octal of the Unix file permissions `rwxrwxrwx`. -- `uid` `(int: 0)` - Specifies the rendered template owner's user ID. - +- `uid` `(int: -1)` - Specifies the rendered template owner's user ID. Negative + values will use the ID of the Nomad agent user. + ~> **Caveat:** Works only on Unix-based systems. Be careful when using containerized drivers, suck as `docker` or `podman`, as groups and users inside the container may have different IDs than on the host system. This - feature will also **not** work with Docker Desktop. + feature will also **not** work with Docker Desktop. -- `gid` `(int: 0)` - Specifies the rendered template owner's group ID. +- `gid` `(int: -1)` - Specifies the rendered template owner's group ID. + Negative values will use the ID of the Nomad agent group. ~> **Caveat:** Works only on Unix-based systems. Be careful when using containerized drivers, suck as `docker` or `podman`, as groups and users inside the container may have different IDs than on the host system. This - feature will also **not** work with Docker Desktop. + feature will also **not** work with Docker Desktop. - `right_delimiter` `(string: "}}")` - Specifies the right delimiter to use in the template. The default is "}}" for some templates, it may be easier to use a