Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration for task namespace isolation in driver plugin #9969

Closed
shoenig opened this issue Feb 4, 2021 · 1 comment · Fixed by #9982
Closed

Configuration for task namespace isolation in driver plugin #9969

shoenig opened this issue Feb 4, 2021 · 1 comment · Fixed by #9982
Assignees
@shoenig
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/driver type/enhancement

Comments

@shoenig
Copy link
Member

shoenig commented Feb 4, 2021

Nomad v1.0.3 fixes a security issue where task PID and IPC namespaces were shared among tasks using the same user. To re-enable the previous behavior, we can add configuration options to the exec-based driver plugins, e.g.

default_pid_mode: "private" or "host" [default: "private"]
default_ipc_mode: "private" or "host" [default: "private"]

These would be applied cluster-wide to all tasks using an exec-based task driver (e.g. exec and java).
@shoenig shoenig self-assigned this Feb 4, 2021
@shoenig shoenig added stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/driver type/enhancement labels Feb 4, 2021
@shoenig shoenig mentioned this issue Feb 4, 2021
Closed
@shoenig shoenig mentioned this issue Feb 5, 2021
Merged
shoenig added a commit that referenced this issue Feb 5, 2021
@shoenig
drivers/exec+java: Add configuration to restore previous PID/IPC name…
b682371 
…space behavior.

This PR adds default_pid_mode and default_ipc_mode options to the exec and java
task drivers. By default these will default to "private" mode, enabling PID and
IPC isolation for tasks. Setting them to "host" mode disables isolation. Doing
so is not recommended, but may be necessary to support legacy job configurations.

Closes #9969
@shoenig shoenig mentioned this issue Feb 8, 2021
Merged
shoenig added a commit that referenced this issue Feb 8, 2021
@shoenig
drivers/exec+java: Add task configuration to restore previous PID/IPC…
836ee9e 
… isolation behavior

This PR adds pid_mode and ipc_mode options to the exec and java task
driver config options. By default these will defer to the default_pid_mode
and default_ipc_mode agent plugin options created in #9969. Setting
these values to "host" mode disables isolation for the task. Doing so
is not recommended, but may be necessary to support legacy job configurations.

Closes #9970
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@shoenig shoenig

Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/driver type/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

drivers/exec+java: Add configuration to restore previous PID/IPC namespace behavior hashicorp/nomad
1 participant
@shoenig