-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
template destination backwards compatibility #9148
Comments
I'm realizing where the issue is: the tricky bit with this is that fixing it without somehow special casing |
After an internal discussion w/ @schmichael and @krishicks we've realized that this breaks any case where someone was passing an absolute directory path in the The fix will be to revert the behavior around the |
Will ship in 1.0. I'm in the process of backporting to 0.12.7, 0.11.6, and 0.10.7. |
* docs: add regression warning for GH-9148 to upgrade guide * changelog entry
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
Prior to Nomad 0.12.5, you could use
${NOMAD_SECRETS_DIR}/mysecret.txt
as thetemplate.destination
. With the recent security patch (#9139) that will get interpolated as the absolute path/secrets/mysecret.txt
and get treated as though it were a sandbox escape. Note the leading/
!The relative path
secrets/mysecret.txt
works just fine as expected. And documentation is pretty clear that the destination path is supposed to be relative to the working directory, but we do in fact allow absolute paths so long as they don't escape the file sandbox (so you could do/var/nomad/allocs/:alloc_id/:task_name/secrets/mysecret.txt
if you were so inclined). But this is pretty lousy UX and a nasty surprise for folks.At the very least, this change should be documented.
(Noticed while working on #9144 #9146)
The text was updated successfully, but these errors were encountered: