We’d like one of our services (running on Nomad) to be able to interface with Nomad itself and access Nomad’s HTTP API. (Yes, we’re aware that’s very, very scary from a security perspective!)
And I noticed that consul
lists nomad
as one of the available upstreams.
So I slapped together a job to test it out: gist:83286c6fa051087794aa9fa5906639fc · GitHub
notably,
upstreams {
destination_name = "nomad"
local_bind_port = 1000
}
I then attach to that container using docker exec <that container that's spun up by Nomad>
, the idea being that I’d then be able to curl
in the same network namespace.
So, once I’m in this container shell I try
root@aa54b9883229:/# env | grep "NOMAD_UPSTREAM_"
NOMAD_UPSTREAM_IP_nomad=127.0.0.1
NOMAD_UPSTREAM_ADDR_nomad=127.0.0.1:1000
NOMAD_UPSTREAM_PORT_nomad=1000
root@aa54b9883229:/# curl "http://127.0.0.1:1000/v1/nodes"
curl: (56) Recv failure: Connection reset by peer
# just for argument's sake, let's see what happens if I use a different port number
root@aa54b9883229:/# curl "http://127.0.0.1:9999/v1/nodes"
curl: (7) Failed to connect to 127.0.0.1 port 9999: Connection refused
So I guess my questions are:
- is the
nomad
service listed in Consul a red herring? - if not, are there any code examples out there you know of showing [a service running in Nomad] consuming Nomad itself as an upstream?
- if not, any idea what the missing sauce is here to be able to contact Nomad?
- finally, is there any good way to trace a request going through Consul Connect to see where it’s getting caught up?
One last thought: I tried messing with Intentions and it didn’t seem to change anything.
(This is all on a local nomad-agent -dev / consul-agent -dev, for the time being)