Retrieving a git::http artifact fails on RHEL distros

[astudentofblake]

Nomad version

Output from nomad version
Nomad v1.5.2
BuildDate 2023-03-21T22:54:38Z
Revision 9a2fdb5

Operating system and Environment details

AlmaLinux release 8.7 (Stone Smilodon)

Issue

When I try to get an artifact using a git:https address, I get a permission denied

It looks like git-remote-https executable exists in /usr/libexec/git-core in RHEL
In ubuntu this is in /usr/lib/git-core

nomad uses "github.com/shoenig/go-landlock" and calls
landlock.Shared()

which contains https://github.com/shoenig/go-landlock/blob/main/path_linux.go
shared = load([]*Path {
File("/dev/null", "rw"),
Dir("/lib", "rx"),
Dir("/lib64", "rx"),
Dir("/usr/lib", "rx"),
Dir("/usr/local/lib", "rx"),
Dir("/usr/local/lib64", "rx"),
File("/etc/ld.so.conf", "r"),
File("/etc/ld.so.cache", "r"),
Dir("/etc/ld.so.conf.d", "r"), }
)

it does not contain
/usr/libexec/

which means we are locked out of calling the git-remote-https executable, and fail.

client/allocrunner/taskrunner/getter/util_linux.go
contains

landlock.Dir("/bin", "rx"),
landlock.Dir("/usr/bin", "rx"),
landlock.Dir("/usr/local/bin", "rx"),

as /lib/exec is executables called not directly, but by other executables, not sure where this should be added

Reproduction steps

Running on Alama Linux, create a task with an git:https artifact, e.g.
git::https://github.com/WorldProgrammingLtd/hub-pipeline-input-test.git

Expected Result

The artifact downloads successfully

Actual Result

The download fails

Nomad Server logs (if appropriate)

"failed to download artifact: error downloading 'https://github.com/WorldProgrammingLtd/hub-pipeline-input-test.git?ref=e7bb59456f6d0a5d4976893>
rtifact: sub-process: OUTPUT="warning: templates not found in /usr/share/git-core/templates"
rtifact: sub-process: OUTPUT="fatal: cannot exec 'git-remote-https': Permission denied"

[astudentofblake]

@shoenig this appears to be linked to your changes

[shoenig]

Hi @astudentofblake, thanks for the report, investigation, and PR! Will follow up in the PR.

[prabirshrestha]

I see this bug in 1.8.2 in Debian.

artifact {
  source   = "git::https://github.com/WorldProgrammingLtd/hub-pipeline-input-test.git"
  destination = "local/repo"
}

error:

Failed Artifact Download: failed to download artifact "git::https://github.com/WorldProgrammingLtd/hub-pipeline-input-test.git": getter subprocess failed: exit status 1: failed to download artifact: error downloading 'https://github.com/WorldProgrammingLtd/hub-pipeline-input-test.git': /usr/bin/git exited with 128: Cloning into '/opt/nomad/alloc/e42fbdc1-350a-67cf-a716-8106313cf4d7/server/local/repo'... warning: templates not found in /usr/share/git-core/templates error: unable to get random bytes for temporary file: Permission denied error: unable to get random bytes for temporary file: Permission denied fatal: Unable to create temporary file '/opt/nomad/alloc/e42fbdc1-350a-67cf-a716-8106313cf4d7/server/local/repo/.git/objects/pack/tmp_pack_XXXXXX': Permission denied fatal: fetch-pack: invalid index-pack output

[cmdel]

I am also seeing this in Debian 12 for 1.8.2.

artifact {
        source      = "git::https://github.com/apache/superset.git//docker"
        destination = "local/repo"
      }

error:

Failed Artifact Download: failed to download artifact "git::https://github.com/apache/superset.git//docker": getter subprocess failed: exit status 1: failed to download artifact: error downloading 'https://github.com/apache/superset.git': /usr/bin/git exited with 128: Cloning into '/opt/nomad/data/alloc/2667d29d-a42c-7e39-3215-59941bb929dd/celeryworker/tmp/getter3640031535/temp'... warning: templates not found in /usr/share/git-core/templates error: unable to get random bytes for temporary file: Permission denied error: unable to get random bytes for temporary file: Permission denied fatal: Unable to create temporary file '/opt/nomad/data/alloc/2667d29d-a42c-7e39-3215-59941bb929dd/celeryworker/tmp/getter3640031535/temp/.git/objects/pack/tmp_pack_XXXXXX': Permission denied fatal: fetch-pack: invalid index-pack output

[inflatador]

Seeing this (or a similar issue) on nomad 1.9.3 on Fedora 41:

nomad -version
Nomad v1.9.3
BuildDate 2024-11-11T16:35:41Z
Revision d92bf1014886c0ff9f882f4a2691d5ae8ad8131c

nomad task snippet:

      artifact {
        source      = "git::https://gitea.example.com/lab/airflow_dags"
        destination = "${NOMAD_TASK_DIR}/airflow_dags"
      }

error:

 error: unable to get random bytes for temporary file: Permission denied error: unable to get random bytes for temporary file: Permission denied fatal: Unable to create temporary file '/opt/nomad/data/alloc/7075fc2c-cd4f-3ce3-b28c-760a75887521/super/local/airflow_dags/.git/objects/pack/tmp_pack_XXXXXX': Permission denied fatal: fetch-pack: invalid index-pack output

[caynev]

Seeing this (or a similar issue) on nomad 1.9.1 on Debian 12:

Nomad v1.9.1
BuildDate 2024-10-21T09:00:50Z
Revision d9ec23f0c1035401e9df6c64d6ffb8bffc555a5e

nomad task snippet:

      artifact {
        source      = "git::https://github.com/hashicorp/nomad-guides"
        destination = "local/repo"
      }

error:

Failed Artifact Download: failed to download artifact "git::https://github.com/hashicorp/nomad-guides": getter subprocess failed: exit status 1: failed to download artifact: error downloading 'https://github.com/hashicorp/nomad-guides': /usr/bin/git exited with 128: Cloning into '/var/lib/nomad/alloc/43c2b8b7-3ed0-8f71-6ed8-92e236c9d58b/tempo/local/repo'... warning: templates not found in /usr/share/git-core/templates error: unable to get random bytes for temporary file: Permission denied error: unable to get random bytes for temporary file: Permission denied fatal: Unable to create temporary file '/var/lib/nomad/alloc/43c2b8b7-3ed0-8f71-6ed8-92e236c9d58b/tempo/local/repo/.git/objects/pack/tmp_pack_XXXXXX': Permission denied fatal: fetch-pack: invalid index-pack output