Hi,
i’ve a question concerning the “nomad volume register” command…
As I understand, I will expose the whole filesystem of my nodes to every user which gets the “host-volume-register” permission, right ?
The user can specify any “host_path” inside the volume-spec file, which will only checked for existence, e.g. “/etc/” or any other sensitive folder, but not for any other restriction (like namespace or DHV_VOLUME_DIR) or previous created Hostvolume.
In our use-case we use dynamic Hostvols for accessing folders on a shared filesystem. So we create the volume initially on the first node, and register the volume afterwards on the other nodes (because its already created because of the shared filesystem).
The only way I see curently to prevent this, is to not use “host-volume-register” at all. Instead use the “nomad volume create” to explicitly create the Volume on all nodes (even if the folder already exists).
Do I miss something ? Can “nomad volume register” somehow restricted to parts of the node-filesystem ?
And if this is the way to go … currently the “host-volume-delete” permission seems to be not implemented (unknown capability in Nomad 1.10.5). So für deletion I have to give “host-volume-write” capability to users, but this will also include the “host-volume-register” permission … :-/
thanks,
Mac