Following ACL bootstrap tutorial and Nomad won't start due to policy error

bradley · August 3, 2021, 6:52pm

I am following the tutorial at: Bootstrap Nomad ACL System | Nomad - HashiCorp Learn

I create the anonymous policy using the supplied config:

namespace "*" {
  policy       = "write"
  capabilities = ["alloc-node-exec"]
}

agent {
  policy = "write"
}

operator {
  policy = "write"
}

quota {
  policy = "write"
}

node {
  policy = "write"
}

host_volume "*" {
  policy = "write"
}

Nomad fails to start with the following error:

Aug 03 11:43:35 nomadserver1 nomad[4731]: ==> Error loading configuration from /etc/nomad.d: Error loading /etc/nomad.d/anonymous.policy.hcl: unexpected keys *, *, agent, host_volume, namespace, node, operator, quota

My nomad config:

#Nomad Config Server Only
#------------------------
datacenter = "nyc"
data_dir = "/opt/nomad/data"
bind_addr = "0.0.0.0"

server {
  enabled = true
  bootstrap_expect = 3
  encrypt = "IRr3+qdE="

  server_join {
    retry_join = ["10.1.96.3" ,"10.1.96.4" ,"10.1.96.5"]
    retry_max = 3
    retry_interval = "15s"
  }
}

acl {
  enable = true
}

angrycub · August 3, 2021, 9:43pm

Hey Bradley,

The anonymous policy file doesn’t get saved into your server configuration folder. It’s applied to the Nomad server state using the nomad acl policy apply command.

Moving the anonymous.policy.hcl file out of your /etc/nomad.d to your $HOME directory folder will get your node back to starting. Once your node is back up, run

nomad acl policy apply $HOME/anonymous.policy.hcl

and the policy will be created and stored in the Nomad server data.

Thanks for pointing out this pitfall. I will see about adding a note to the guide to make this a bit clearer.

Hope this gets you unjammed!
-Charlie

bradley · August 3, 2021, 9:45pm

Thank you very much… I thought I was loosing it for a second.

Brad