Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#77955 - [nomad] v1.5.0 sandboxing + data_dir permissions break artifact downloading
Attached to Project:
Community Packages
Opened by Bao Trinh (qubidt) - Wednesday, 22 March 2023, 18:35 GMT
Last edited by Toolybird (Toolybird) - Thursday, 23 March 2023, 01:55 GMT
Opened by Bao Trinh (qubidt) - Wednesday, 22 March 2023, 18:35 GMT
Last edited by Toolybird (Toolybird) - Thursday, 23 March 2023, 01:55 GMT
|
DetailsDescription:
Nomad's sandboxing became more strict with v1.5.0. see: https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific#artifact-download-sandboxing Now, artifact downloads are done as the `nobody` user. This requires that the nomad `data_dir` be world-navigable. The permissions of `/var/lib/nomad` is enforced by `/usr/lib/tmpfiles.d/nomad.conf` as `700`. Currently, existing jobs that download artifacts are broken. Suggestion: /usr/lib/tmpfiles.d/nomad.conf ```diff 1c1 < d /var/lib/nomad 0700 --- > d /var/lib/nomad 0755 ``` Additional info: * package version(s): v1.5.0 * config and/or log files etc. * link to upstream bug report, if any: https://discuss.hashicorp.com/t/nomad1-5-0-rc1-failed-to-download-artifact-error-permission-denied/50811/5 Steps to reproduce: * run any job containing an [artifact](https://developer.hashicorp.com/nomad/docs/job-specification/artifact) stanza. * job will fail during artifact download * logs show: ``` [INFO] client.alloc_runner.task_runner: Task event: alloc_id=69a34e1c-4bbb-5742-9dcc-026434999754 task=fabio type="Task Setup" msg="Building Task Directory" failed=false [INFO] client.alloc_runner.task_runner: Task event: alloc_id=69a34e1c-4bbb-5742-9dcc-026434999754 task=fabio type="Downloading Artifacts" msg="Client is downloading artifacts" failed=false [ERROR] client.artifact: sub-process: OUTPUT="failed to sandbox artifact-isolation process: landlock failed to lock: permission denied" [INFO] client.alloc_runner.task_runner: Task event: alloc_id=69a34e1c-4bbb-5742-9dcc-026434999754 task=fabio type="Failed Artifact Download" msg="failed to download artifact \"https://releases.hashicorp.com/consul/1.15.1/consul_1.15.1_linux_amd64.zip\": getter subprocess failed: exit status 1" failed=false [ERROR] client.alloc_runner.task_runner: prestart failed: alloc_id=69a34e1c-4bbb-5742-9dcc-026434999754 task=fabio error="prestart hook \"artifacts\" failed: failed to download artifact \"https://releases.hashicorp.com/consul/1.15.1/consul_1.15.1_linux_amd64.zip\": getter subprocess failed: exit status 1" ``` |
This task depends upon
Closed by Toolybird (Toolybird)
Thursday, 23 March 2023, 01:55 GMT
Reason for closing: Upstream
Additional comments about closing: Reporter says "will be fixed in 1.5.2"
Thursday, 23 March 2023, 01:55 GMT
Reason for closing: Upstream
Additional comments about closing: Reporter says "will be fixed in 1.5.2"
[1] https://github.com/hashicorp/nomad/releases/tag/v1.5.2
[2] https://github.com/hashicorp/nomad/pull/16375