Template destination with raw_exec

In multiple places in the documentation (for example at template Block - Job Specification | Nomad | HashiCorp Developer ) it is hinted that raw_exec driver can target absolute paths, but a naive job as the following

job "test" {
  type        = "batch"
  reschedule {
    attempts       = 0
    unlimited = false
  }
  group "test" {
    restart {
      attempts = 0
      mode     = "fail"
    }
    task "setup" {
      lifecycle {
        hook    = "prestart"
        sidecar = false
      }
      driver = "raw_exec"
      user   = "root"
      config {
        command = "mkdir"
        args    = ["-p", "/etc/xx"]
      }
    }

    task "test" {
      driver = "raw_exec"
      user   = "root"
      template {
        data          = <<-EOH
            testit-test
            EOH
        destination   = "/etc/xx/x.conf"
        change_mode   = "restart"
      }
      config {
        command = "bash"
        args    = ["-c", "cat /etc/xx/x.conf || echo FAILURE $PWD && cat etc/xx/x.conf || sleep 1000"]
      }
    }
  }
}

with nomad 1.5.0 the task test outputs something like

stderr> cat: /etc/xx/x.conf: No such file or directory 
stdout> FAILURE /opt/nomad/alloc/c4a9ccc2-9ab1-86bf-1e7d-c78c2f212559/test
stdout> testit-test

which shows that both the working directory and the template base directory are the task directory.
Is there a way to create a template in a “global” place? some hidden config?

Hi @fawzi, currently it is not possible to enable the template rendering to escape the allocation sandbox. It might be something we could enable in the future if/when we revamp how template rendering is made secure, if there’s compelling reasons to do so.

templates rendered file goes to isolated task filesystem even though the driver is raw_exec · Issue #16755 · hashicorp/nomad · GitHub contains a bit more information

Yes, thanks, I also ended up with a prestart task to solve that, the problem is that then a template update cannot be nicely propagated but it is still ok for our usecase