Last active
January 17, 2022 12:42
-
-
Save angrycub/ca099b3709e995e2c33b768b866548e9 to your computer and use it in GitHub Desktop.
Spin up a dev agent with ACLs enabled for simple test cases.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
NOMAD_VERSION="1.0.4" | |
wait() { | |
if [[ "$1" != "" ]] | |
then | |
message="⌛️ $1..." | |
else | |
message="⌛️ Press any key to continue..." | |
fi | |
read -p "${message}" -n1 -s | |
} | |
myOS=$(uname -s|tr 'A-Z' 'a-z') | |
myUnameArch=$(uname -m|tr 'A-Z' 'a-z') | |
case "${myUnameArch}" in | |
x86_64) | |
myArch="amd64" | |
;; | |
*) | |
echo "Unsupported architecture: ${myUnameArch}" | |
exit 1 | |
;; | |
esac | |
tempfoo=`basename $0` | |
TMPDIR=`mktemp -q -d /tmp/${tempfoo}.XXXXXX` | |
if [ $? -ne 0 ]; then | |
echo "$0: Can't create temp file, exiting..." | |
exit 1 | |
fi | |
echo "📂 Using ${TMPDIR} as working directory..." | |
cd $TMPDIR | |
echo "Fetching Nomad v${NOMAD_VERSION}..." | |
curl -sSL https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_${myOS}_${myArch}.zip > nomad.zip | |
unzip nomad.zip | |
rm nomad.zip | |
chmod +x nomad | |
echo 🧼 Cleaning environment variables... | |
unset NOMAD_ADDR NOMAD_TOKEN NOMAD_CAFILE NOMAD_CAPATH NOMAD_CERT_FILE NOMAD_KEY_FILE | |
echo 📄 Creating required files | |
# Create submit job only policy definition | |
cat <<EOH > submit-job.policy.hcl | |
namespace "default" { | |
policy = "read" | |
capabilities = ["submit-job","dispatch-job","read-logs","alloc-exec"] | |
} | |
EOH | |
cat <<EOH > example.nomad | |
job "example" { | |
datacenters = ["dc1"] | |
group "group" { | |
task "test" { | |
driver = "raw_exec" | |
config { | |
command = "bash" | |
args = ["-c","while true; do echo $(date); sleep 5; done"] | |
} | |
} | |
} | |
} | |
EOH | |
echo 🚦 Starting up a Nomad dev agent with ACLs enabled. | |
#./nomad agent -dev -acl-enabled > nomad.log & | |
./nomad agent -dev -acl-enabled > nomad.log 2>&1 & | |
nomadPID=$! | |
echo -n 📝 Waiting for Nomad to start up... | |
until curl -s http://127.0.0.1:4646/v1/agent/health > /dev/null | |
do | |
echo -n . | |
sleep 1 | |
done | |
echo "" | |
echo "🥾 Bootstrapping ACLs..." | |
./nomad acl bootstrap | tee nomad_bootstrap.out | |
adminToken=$(awk '/Secret/ {print $4}' nomad_bootstrap.out) | |
echo "👮 Building the submit-job policy..." | |
export NOMAD_TOKEN=$adminToken | |
./nomad acl policy apply -description "Submit Job" submit-job submit-job.policy.hcl | |
echo "🪙 Creating a token with submit-job..." | |
./nomad acl token create -policy=submit-job | tee submit-job.token.out | |
submitOnlyToken=$(awk '/Secret/ {print $4}' submit-job.token.out) | |
echo "🏃 Running the example with the submit-only token..." | |
export NOMAD_TOKEN=$submitOnlyToken | |
./nomad job run example.nomad | |
./nomad status | |
./nomad status example | |
allocID=$(nomad alloc status -t '{{range .}}{{if eq .JobID "example"}}{{printf "%s" .ID}}{{end}}{{end}}') | |
./nomad alloc logs $allocID | |
# This command should fail because the sample job is a raw_exec. | |
echo "" | |
echo "This next command *should* error because the sample job is raw_exec and" | |
echo "the policy does not provide \`alloc-node-exec\`." | |
./nomad alloc exec $allocID /bin/bash | |
echo "" | |
echo "For your exploration" | |
echo "====================" | |
echo "" | |
echo "Directory:" | |
echo " - ${TMPDIR}" | |
echo "Tokens:" | |
echo " - bootstrap: ${adminToken}" | |
echo " - submit-job: ${submitOnlyToken}" | |
echo "" | |
wait "Press any key to conclude and clean up the repro environment" | |
echo "" | |
echo "✨ Cleaning up..." | |
./nomad job stop example | |
kill -9 $nomadPID | |
cd - | |
rm -rf $TMPDIR | |
echo "Done." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment