From 0a369ec7ed174ac97d55c0882c541f317e19044d Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 8 Nov 2024 16:12:36 -0500 Subject: [PATCH] consul: allow non-root Nomad to rewrite token When a task restarts, the Nomad client may need to rewrite the Consul token, but it's created with permissions that prevent a non-root agent from writing to it. While Nomad clients should be run as root (currently), it's harmless to allow whatever user the Nomad agent is running as to be able to write to it, and that's one less barrier to rootless Nomad. Ref: https://github.com/hashicorp/nomad/issues/23859#issuecomment-2465757392 --- .changelog/24410.txt | 3 +++ client/allocrunner/taskrunner/consul_hook.go | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 .changelog/24410.txt diff --git a/.changelog/24410.txt b/.changelog/24410.txt new file mode 100644 index 00000000000..92d5913a558 --- /dev/null +++ b/.changelog/24410.txt @@ -0,0 +1,3 @@ +```release-note:bug +consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart +``` diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go index a6ecbadfc5b..e8b03cc766e 100644 --- a/client/allocrunner/taskrunner/consul_hook.go +++ b/client/allocrunner/taskrunner/consul_hook.go @@ -25,7 +25,7 @@ const ( // consulTokenFilePerms is the level of file permissions granted on the file in // the secrets directory for the task - consulTokenFilePerms = 0440 + consulTokenFilePerms = 0640 ) type consulHook struct {