Call to function "pathexpand" failed: filesystem function disabled

tomasaberg · October 21, 2021, 6:17pm

Hi!
I’m new to Nomad but slowly learning. Now I’m looking at downloading a artifact from a private repository.

This is how the artifact part looks like in my job:

      artifact {
        source      = "git::git@github.myenterprise.corp:repo/infra"
        destination = "local/repo"
        options {
          sshkey = "${base64encode(file(pathexpand("~/.ssh/id_ed25519")))}"
        }
      }
      template {
        source        = "local/repo/artifacts/prometheus/prometheus.yml.tpl"
        destination = "local/prometheus.yml"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

When I try to run this, Nomad says

Parse Error
input.hcl:26,41-52: Error in function call; Call to function “pathexpand” failed: filesystem function disabled. input.hcl:26,20-76: Unsuitable value type; Unsuitable value: value must be known

I’ve followed these steps issue#10036

Nomad is installed via apt (hashicorp repository)
Nomad is running as root
Nomad version: Nomad v1.1.6

I’m having trouble finding any answers what to do so I turn to the community with hopes

DerekStrickland · October 21, 2021, 6:40pm

Hi @tomasaberg,

Thanks for using Nomad!

According to the documentation " The pathexpand function expands a leading ~ character to the current user’s home directory". Are you able to verify that that file exists at that path in the root users home directory? If not, do you see it in some other directory?

Derek and the Nomad Team

tomasaberg · October 21, 2021, 6:53pm

Hi Derek, thank you for your swift reply!

Like you say, I thought the path should be expanded to /root/.ssh/id_ed25519.
I’m able to stat the files, both with /root/ and ~/.

# stat ~/.ssh/id_ed25519
  File: /root/.ssh/id_ed25519
  Size: 419             Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 3511986     Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-10-21 19:50:09.931831242 +0200
Modify: 2021-10-21 19:06:36.438124333 +0200
Change: 2021-10-21 19:06:36.438124333 +0200
 Birth: -

# stat /root/.ssh/id_ed25519
  File: /root/.ssh/id_ed25519
  Size: 419             Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 3511986     Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-10-21 19:50:09.931831242 +0200
Modify: 2021-10-21 19:06:36.438124333 +0200
Change: 2021-10-21 19:06:36.438124333 +0200
 Birth: -

This is what catch my eye:
“filesystem function disabled”
Is this some configuration thing that needs to be enabled?

Is it possible to use ed25519 or do I need to use RSA keys?

Regards

DerekStrickland · October 21, 2021, 7:04pm

That caught my eye too, but I found this thread which shows a fix being merged in Jan. I am not aware of any reason that would be disabled. I’ll keep digging and see if I can reproduce or there’s a regression. As for ed25519, I don’t think that’s a problem. Some searches show other people using it.

tomasaberg · October 21, 2021, 7:18pm

Cool, thank you.

Is there another way to send the base64 encoded string or is the recommended way to use
${base64encode(file(pathexpand()))?

To be a little more helpful, here is the whole job

job "prometheus" {
  datacenters = ["sth"]
  type        = "service"

  group "monitoring" {
    count = 3
    network {
      port  "prometheus" {
        to = 9090
      }
      port  "consul" {
        to = 8500
      }
    }

    task "prometheus" {
      vault {        
        policies = ["policy-kv-secrets"]
        change_mode   = "signal"
        change_signal = "SIGUSR1"
      }
      artifact {
        source      = "git::git@github.myenterprise.corp:yolo/infra"
        destination = "local/repo"
        options {
          sshkey = "${base64encode(file(pathexpand("/root/.ssh/id_ed25519")))}"
        }
      }
      template {
        source        = "${NOMAD_TASK_DIR}/repo/nomad/artifacts/prometheus/prometheus.yml.tpl"
        destination = "local/prometheus.yml"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      driver = "docker"

      config {
        image = "prom/prometheus"
        ports = ["prometheus"]
        volumes = [
          "local/prometheus.yml:/etc/prometheus/prometheus.yml:ro"
        ]
      }
      service {
        name = "prometheus"
        port = "prometheus"
        tags = [
          "urlprefix-/",
          "traefik.enable=true",
          "traefik.http.routers.prometheus.rule=Host(`prometheus.myenterprise.corp`)"
        ]
        check {
          name     = "Prometheus is alive"
          type     = "http"
          path     = "/-/healthy"
          interval = "10s"
          timeout  = "2s"
        } 
      }
    }
  }
}

DerekStrickland · October 21, 2021, 8:07pm

So this worked for me on macOS using ed21559 and Nomad 1.1.6 and 1.1.5

What os are you running this on?

tomasaberg · October 21, 2021, 8:18pm

This is a Ubuntu 20.04, running on VMware 6.7

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal

I had a similar job on another machine ~3 weeks ago on an Ubuntu 20.04 as well, it worked then, odd.

I guess what’s changed is the release of Ubuntu 20.04.3

DerekStrickland · October 21, 2021, 8:22pm

Yeah that is odd, but not unheard of. Is it an option for you to rollback the ubuntu version and retest? Also, when you tested a few weeks ago were you on 1.1.6? It’s relatively new. Like I said, it worked on 1.1.6 and 1.1.5 for me, but I’m just trying to identify possible variances.

tomasaberg · October 21, 2021, 8:35pm

Sure, I’m just doing this for learing myself and setting up a poc, I’ll do whatever I can to help out.

So, this is what I’ve done:

Upgraded the OS with the latest updates (noting related though, but just in case)
Downgraded down to 1.1.5 → 1.1.4

Then, I come to think of, one of the differences now vs back then, is that I’m executing the jobs from the web ui. It failed when I was trying to run the job on all versions through the web ui but it worked when I used the nomad job run prometheus.hcl

Well, I’ve got it working, but I wonder why it fails in the web ui.
Should I try and upgrade back to 1.1.6?

Edit: also worth mentioning; I can’t see anything suspicious when running
journalctl -xef -u nomad (not in debug mode though)

DerekStrickland · October 21, 2021, 10:34pm

I think upgrading back to 1.1.6 should be fine. Thanks for sharing the extra detail! The Web UI is now the hot path of investigation. I’ll talk to my colleagues and see what we can figure out.

DerekStrickland · October 22, 2021, 6:23pm

@tomasaberg

Do you mind opening a GitHub issue for this? I think it’s more properly tracked there. If you could include a link to this discuss thread that would be awesome!

My guess is the UI handler is using HCLv1.

tomasaberg · October 22, 2021, 10:47pm

Yes sir!

github.com/hashicorp/nomad

Call to function “pathexpand” failed: filesystem function disabled

opened 10:46PM - 22 Oct 21 UTC

tomasaberg

type/bug

### Nomad version 1.1.6 ### Operating system and Environment details ``` D…istributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal ``` ### Issue I've started a discussion at the community forum and was asked to create a issue report. See: https://discuss.hashicorp.com/t/call-to-function-pathexpand-failed-filesystem-function-disabled/30995 The issue I'm having is when I try to download a artifact from my companys GitHub Enterprise and run the job from the Web UI, it will fail with the error: `Call to function “pathexpand” failed: filesystem function disabled` However, it will work without any issues if I run the same job from CLI ### Reproduction steps 1. Create a job that will check out a private repository 2. Execute it from the Nomads WebUI #### Expected Result I would expect that running a job from the WebUI would work the same way as running it from CLI #### Actual Result When executing from the WebUI it will fail with `Call to function “pathexpand” failed: filesystem function disabled` ### Job file (if appropriate) This is the job I have that fails: ``` job "prometheus" { datacenters = ["sth"] type = "service" group "monitoring" { count = 3 network { port "prometheus" { to = 9090 } port "consul" { to = 8500 } } task "prometheus" { vault { policies = ["policy-kv-secrets"] change_mode = "signal" change_signal = "SIGUSR1" } artifact { source = "git::git@github.myenterprise.corp:yolo/infra" destination = "local/repo" options { sshkey = "${base64encode(file(pathexpand(" ~/.ssh/id_ed25519")))}" } } template { source = "${NOMAD_TASK_DIR}/repo/nomad/artifacts/prometheus/prometheus.yml.tpl" destination = "local/prometheus.yml" change_mode = "signal" change_signal = "SIGHUP" } driver = "docker" config { image = "prom/prometheus" ports = ["prometheus"] volumes = [ "local/prometheus.yml:/etc/prometheus/prometheus.yml:ro" ] } service { name = "prometheus" port = "prometheus" tags = [ "urlprefix-/", "traefik.enable=true", "traefik.http.routers.prometheus.rule=Host(`prometheus.myenterprise.corp`)" ] check { name = "Prometheus is alive" type = "http" path = "/-/healthy" interval = "10s" timeout = "2s" } } } } } ``` ### Nomad Server logs (if appropriate) `journalctl -xef -u nomad` doesn't reveal anything when trying to run this job. Please advice how I can provide more relevant logging if needed ### Other I'm new to Nomad but thanks a lot for your support and Nomad itself, I'm having fun while trying to learn and things are making more sense every day :)

I hope it’s good enough

kds-rune · October 23, 2021, 2:27pm

I don’t think you are able to read local files when submitting jobs via the web-ui (atleast I’d expect a popup regarding accessing your localdrive by your browser.)

If I remember correctly, the filesystem-functions were added along with the hcl2 support.

Functions are evaluated by the CLI during configuration parsing rather than job run time, so this function can only be used with files that are already present on disk on operator host.

If you manually base64encode the key & use the string in place of the file()-function, I’d assume it works fine?

EDIT: I see now that this was already answered in the github-issue

tomasaberg · October 24, 2021, 2:27pm

I saw this issue so I didn’t try it. It is a bit old now, but from what I understand (at the time) it wasn’t supported to just use a encoded string?

github.com/hashicorp/nomad

Cannot download private git repo with artifact stanza

opened 05:46PM - 10 Jul 17 UTC

closed 06:16PM - 04 Mar 21 UTC

amelnikov-mylivn

type/enhancement theme/client stage/needs-discussion

### Nomad version `Nomad v0.5.6` ### Operating system and Environment detail…s Client running in Docker (17.06 CE): `Linux b82934a8bd68 4.8.0-1-amd64 #1 SMP Debian 4.8.7-1 (2016-11-13) x86_64 x86_64 x86_64 GNU/Linux` Server running agent and nodes: `Linux my-hostname 4.8.0-1-amd64 #1 SMP Debian 4.8.7-1 (2016-11-13) x86_64 GNU/Linux` ### Issue Nomad or maybe go-getter (cannot check) fails when specifying private git repo in artifact stanza ### Reproduction steps - create job with artifact stanza using private git repo following Nomad documentation - run job - see results ### Expected result - job is allocated and running ### Actual result - got error message: ``` Recent Events: Time Type Description 07/10/17 19:15:39 CEST Not Restarting Error was unrecoverable 07/10/17 19:15:39 CEST Failed Artifact Download failed to download artifact "git@gitlab.example.net:group/repo-name.git": failed to parse source URL "git@gitlab.example.net:group/repo-name.git": parse git@gitlab.example.net:group/repo-name.git: first path segment in URL cannot contain colon 07/10/17 19:15:39 CEST Downloading Artifacts Client is downloading artifacts 07/10/17 19:15:39 CEST Task Setup Building Task Directory 07/10/17 19:15:39 CEST Received Task received by client ``` ### Job file ``` ... artifact { source = "git@gitlab.example.net:group/repo-name.git" destination = "repo" options { sshkey = "${CONFIG_READER_SSH_KEY}" ref = "${CI_COMMIT_SHA}" } } ... ```

I will mark kds-runes answer as a solution for this specific issue though

kds-rune · October 25, 2021, 8:51am

Ok, might be true. I have struggled “a bit” with the artifact-stanca myself as well

The specific issue you linked I believe I solved by scanning (ssh-keyscan) & adding the bitbucket/github/etc fingerprints to all of my nomad nodes “known_hosts” file.

HCL2 supports “decoding” the base64 string before submitting the job, so that might work (base64decode(“pre-encoded-b64string”))?

You should also keep in mind that the key(s) will be visible in the jobfile, and anyone with access to this file (or the job-definition in nomad) can access the key. The only way around this is using vault or similar solution.

Lately I just use a sidecar-task with “sidecar=false” and “hook=prestart” for downloading any “problematic” artifacts to /alloc/some-folder & my main task can access the files from there.

tomasaberg · October 27, 2021, 4:55am

Sorry for late reply.
I will try out your vault suggestion. Thanks!

Topic		Replies	Views
Nomad giving error in vault templating Nomad	2	84	May 13, 2024
Symlink error on nomad version 1.7.7 Nomad	0	26	October 18, 2024
Nomad 0.12.8, 0.11.7, and 0.10.8 released Nomad	0	922	November 11, 2020
Nomad artifact stanza Nomad	6	1413	October 18, 2021
HCSEC-2021-31 - Nomad QEMU Task Driver Allowed Paths Bypass with Job Args Security security-nomad	0	7077	November 23, 2021

Call to function "pathexpand" failed: filesystem function disabled

Related Topics