Does nomad alloc exec use SSH or HTTP(S), or something else?

Hey there. Does the nomad alloc exec (or just nomad exec ) command use SSH or HTTP(S)? Our nomad clients are in a private subnet and I was very surprised I was able to exec into a container without being on that same private subnet. The Nomad servers are publicly accessible behind HTTPS, so my thought is that nomad exec is tunneling through the Nomad server to the client in the private subnet (using the Server as a bastion / jump host). Is that correct? And if I’m using HTTPS to contact the API (Server), then the exec session is using HTTPS right? I just want to make sure the connection is secure.

:wave: Hello!

This command is facilitated by HTTPS+WebSockets through the API server as you suspected, and this is only if the given ACL token has the correct policy/capabilities for the target allocation. This request is RPC forwarded (also secured by TLS) through the server to the client node, and then ultimately serviced by the task driver if it supports exec.

The flow is essentially: User with ACL Token → Server with HTTPS+Websocket → Client with RPC+TLS → Client Task Driver

Part of code for the HTTP server can be found here to dig into this further.

2 Likes

Hi @picatz :wave: !

Wonderful, that is exactly what I needed to know. Makes sense at a high level and I’ll check out the code to dig further. Thank you for the quick response!

1 Like