Skip to content

landlock: check path exists on setup #27149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chrisroberts merged 1 commit into from
Nov 25, 2025
Merged

landlock: check path exists on setup #27149

chrisroberts merged 1 commit into from
Nov 25, 2025

Conversation

@chrisroberts
Copy link
Member

@chrisroberts chrisroberts commented Nov 24, 2025

Description

When setting up landlock with the base set of directories, validate
that each directory exists prior to including it within the landlock
setup to prevent errors.

Testing & Reproduction steps

Links

Fixes #18721

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad product documentation, which is stored in the
    web-unified-docs repo. Refer to the web-unified-docs contributor guide for docs guidelines.
    Please also consider whether the change requires notes within the upgrade
    guide    . If you would like help with the docs, tag the nomad-docs team in this PR.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.
  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

@chrisroberts chrisroberts requested review from a team as code owners November 24, 2025 18:13
@chrisroberts chrisroberts added backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/ent/1.10.x+ent backport to 1.10.x+ent release line backport/1.11.x backport to 1.11.x release line labels Nov 24, 2025
gulducat
gulducat previously approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@gulducat gulducat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

just a pedantic nitpick on the code comment

client/allocrunner/taskrunner/getter/util_linux.go Outdated
Comment on lines 81 to 85
// Add the initial directories, checking for existence
// prior to adding them.
for p, mode := range initialDirs {
_, err := os.Stat(p)
if err == nil {
Copy link
Member

@gulducat gulducat Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

strictly speaking, it's not only checking existence. I suspect we do want to skip adding ones that produce an error of any kind (https://pkg.go.dev/os#pkg-variables) as you do here, but the comment is a tad misleading.

@chrisroberts chrisroberts marked this pull request as draft November 24, 2025 20:29
@chrisroberts
landlock: check path exists on setup
c69940e 
When setting up landlock with the base set of directories, validate
that each directory exists prior to including it within the landlock
setup to prevent errors. If other errors are encountered when attempting
to stat the path, ignore the path but log the error.
@chrisroberts chrisroberts marked this pull request as ready for review November 24, 2025 21:44
gulducat
gulducat approved these changes Nov 24, 2025
View reviewed changes
Copy link
Member

@gulducat gulducat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hooray for logging!

@chrisroberts chrisroberts merged commit afc0014 into main Nov 25, 2025
38 checks passed
@chrisroberts chrisroberts deleted the f-landlock-path-check branch November 25, 2025 00:22
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Nov 25, 2025
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gulducat gulducat gulducat approved these changes

Assignees

No one assigned

Labels

backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/ent/1.10.x+ent backport to 1.10.x+ent release line backport/1.11.x backport to 1.11.x release line

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

error during artifact download: landlock failed to lock (NixOS)

2 participants

@chrisroberts @gulducat