Oct 24 15:25:14 myhost.company.com nomad: client.alloc_runner.task_runner: running driver failed: alloc_id=b879749f-b1b9-a65a-e621-f4c6fe49d609 task=show_id error="2 errors occurred:
* failed to parse config:
* Invalid label: No argument or block type is named "user".
Documentation says it is supported for driver=exec or driver=docker (easy Docker has direct support for this, even at the image build level). I can change my task to be restricted with cgroups but then it takes forever to run the allocation as the exec tasks copies data from the original locations into the chrooted locations (you control that by adding more directories into the client chroot_env section on /etc/nomad/conf.hcl file). My new file with exec
So at this point seems than the best way to run nomad is as the target user from day 0 and do not bother to use exec as it will copy (not link) the chrooted directories. I’m still skimming through the documentation to make sure I’m not missing something else that can speed up the task startup or even let it run
As a manual workaround you coud use either setpriv (if you don’t want/have to go through a dedicated PAM session handling), or either runuser or a plain su as a prefix to the command.
It’s kind of messy OTOH, but it could work (never tested it myself in the context of nomad tbh).
Yeah, well, if switching user you are still having the environment and directories as they were, so as long the resulting user has no “x” for traverse on each of the patent directories up to where the alloc lives, it will fail with access denied, but that’s more or less a feature of Linux than an issue that can be fixed in nomad without some nasty workarounds or hack IMHO.
The regular exec could do something about it since it’s using chroot, but not sure how exactly that works under the hood without reading into the code itself (I use docker for the moment).
Nevertheless I recommend not using su or sudo when not requiring a dedicated session for the user but “just” dropping privileges. Many real programming languages support changing uid/euid when run as root.
(but please don’t set anything on chmod 777,thats a very bad thing to do on any of the nomad directories. I recommend working with group level privileges for restricting access to the alloc folders)