Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Artifact getter breaks when Nomad is run as non-root #16789

Closed
the-nando opened this issue Apr 4, 2023 · 1 comment · Fixed by #16791
Closed

Artifact getter breaks when Nomad is run as non-root #16789

the-nando opened this issue Apr 4, 2023 · 1 comment · Fixed by #16791
Assignees
@shoenig
Labels
hcc/cst Admin - internal stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/artifact type/bug
Milestone
1.5.x

Comments

@the-nando
Copy link
Contributor

the-nando commented Apr 4, 2023
edited
Loading

Nomad version

Nomad v1.5.1+ent

Issue

The artifact getter now runs as a subprocess since v1.5.0. We run nomad as a non-root user and the getter fails with:

fork/exec /usr/bin/nomad: operation not permitted

The error originates from this syscall:

[pid 18934] setgroups(0, NULL <unfinished ...>
[pid 16745] epoll_pwait(4,  <unfinished ...>
[pid 18934] <... setgroups resumed>)    = -1 EPERM (Operation not permitted)

Which comes from setting the GID and UID in SysProcAttr:
https://github.com/hashicorp/nomad/blob/v1.5.1/client/allocrunner/taskrunner/getter/util.go#L140
https://github.com/hashicorp/nomad/blob/v1.5.1/client/allocrunner/taskrunner/getter/util_linux.go#L29

The code was intended to be used to drop privileges and run the getter as nobody when the nomad binary runs as root but that has been reverted in 95359b8.
Unfortunately when nomad is run as a non user, setting the GID for the child doesn't work as the user lacks cap_setgid.
A workaround is:

# setcap 'cap_setgid=ep' /usr/sbin/nomad

or removing setting the attributes altogether as they are technically non required and they'll be inherited from the parent:

# diff --git a/client/allocrunner/taskrunner/getter/util.go b/client/allocrunner/taskrunner/getter/util.go

index 1a71017f3..8edf5a449 100644
--- a/client/allocrunner/taskrunner/getter/util.go
+++ b/client/allocrunner/taskrunner/getter/util.go
@@ -137,7 +137,7 @@ func (s *Sandbox) runCmd(env *parameters) error {
 	cmd.Stdin = env.reader()
 	cmd.Stdout = output
 	cmd.Stderr = output
-	cmd.SysProcAttr = attributes()
+	// cmd.SysProcAttr = attributes()

 	// start & wait for the subprocess to terminate
 	if err := cmd.Run(); err != nil {

Same issue was addressed here for non-Linux systems: 78d8ae0
@the-nando the-nando mentioned this issue Apr 5, 2023
Merged
@shoenig shoenig added the stage/accepted Confirmed, and intend to work on. No timeline committment though. label Apr 5, 2023
@shoenig shoenig self-assigned this Apr 5, 2023
@shoenig shoenig added this to the 1.5.x milestone Apr 5, 2023
@davemay99 davemay99 added the hcc/cst Admin - internal label Apr 5, 2023
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 12, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@shoenig shoenig

Labels
hcc/cst Admin - internal stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/artifact type/bug
Projects
None yet
Milestone
1.5.x
Development

Successfully merging a pull request may close this issue.

Do not set attributes when spawning the getter child the-nando/nomad
3 participants
@shoenig @davemay99 @the-nando