It is possible to run processes for the Nomad raw_exec driver inside a task as non-root users? Ideally want to run nomad as root and then do drop privileges to run a command as the target user:
job "show_id_job" {
datacenters = ["dc1"]
priority = 100
type = "batch"
constraint {
attribute = "${attr.unique.hostname}"
value = "myhost.company.com"
}
group "show_id_group" {
network {
mode = "host"
}
task "show_id" {
driver = "raw_exec"
config {
command = "/usr/bin/su"
args = ["--login", "regularuser", "/usr/bin/id"]
}
}
}
}
But when I run this job it fails:
Oct 23 19:51:03 myhost.company.com nomad[300160]: client: allocation updates applied: added=0 removed=0 updated=4 ignored=4 errors=0
Oct 23 19:51:03 myhost.company.com su[385531]: pam_unix(su-l:session): session closed for user regularuser
Oct 23 19:51:03 myhost.company.com nomad[300160]: 2020-10-23T19:51:03.822-0400 [ERROR] client.driver_mgr.raw_exec: error receiving stream from Stats executor RPC, closing stream: alloc_id=fbe2e6d9-930e-acff-83c7-9d0f83b2e085 driver=raw_exec task_name=show_id error="rpc error: code = Unavailable desc = transport is closing"
Oct 23 19:51:03 myhost.company.com nomad[300160]: 2020-10-23T19:51:03.822-0400 [ERROR] client.alloc_runner.task_runner.task_hook.stats_hook: failed to start stats collection for task: alloc_id=fbe2e6d9-930e-acff-83c7-9d0f83b2e085 task=show_id error="rpc error: code = Canceled desc = grpc: the client connection is closing"
I could not find in the documentation any parameters that could allow me to do the same
Has anyone run into this issue?
Thanks!
It is not possible with raw_exec (documentation says it is supported with driver=docker or driver=exec). You can also run nomad as a non-privileged user.
Related
The docs says I can set the kernel parameters using sysctl for a docker task like so:
config {
sysctl = {
"net.core.somaxconn" = "16384"
}
}
This indeed works. But when I tried,
sysctl = {
"net.core.somaxconn" = "16384"
"net.core.rmem_default" = 134217728
"net.core.rmem_max" = 134217728
"net.core.wmem_default" = 134217728
"net.core.wmem_max" = 134217728
"vm.max_map_count" = 1000000
}
I'm getting the following error.
Sep 28, '22 19:30:22 +0530
Driver Failure
Failed to start container fa2179c3fbfe0a216e457449cfb72a78e08c0be45f10ba9596004fbfc51e5cac: API error (400):
failed to create shim task: OCI runtime create failed:
runc create failed:
unable to start container process:
error during container init:
open /proc/sys/net/core/rmem_default:
no such file or directory: unknown
I couldn't find anywhere in the docs what are the allowed parameters to set using this config.
I spent the whole day banging my head on this issue.
Please let me know if any more info is needed.
In case you are curious I'm trying to run Solana devnet validator as a container in Nomad.
open /proc/sys/net/core/rmem_default: no such file or directory: unknown
There is just no such sysctl parameter inside docker container when it is running inside network namespace. That's unrelated to nomad. See https://github.com/moby/moby/issues/42282 follow https://github.com/moby/moby/issues/30778 etc.
I want to run a simple test that remote on a local docker container:
$docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e559bc98ae9c selenium/standalone-chrome-debug:latest "/opt/bin/entry_poin…" 10 seconds ago Up 6 seconds 0.0.0.0:4444->4444/tcp, 0.0.0.0:5900->5900/tcp new_selenium
I can run it successfully with selenium config:
driverWeb = new RemoteWebDriver(new URL(url), chromeBrowserCapabilities();
But when I try to let Serenity control the webdriver life cycle, have an error:
Dec 06, 2019 5:31:15 PM org.openqa.selenium.remote.DesiredCapabilities chrome INFO: Using `new ChromeOptions()` is preferred to `DesiredCapabilities.chrome()` [main] INFO net.thucydides.core.steps.ConsoleLoggingListener - STEP ERROR: net.thucydides.core.webdriver.DriverConfigurationError: Could not instantiate class org.openqa.selenium.chrome.ChromeDriver F[main] INFO net.thucydides.core.steps.ConsoleLoggingListener - STEP ERROR: net.thucydides.core.webdriver.DriverConfigurationError: Could not instantiate new WebDriver instance of type class org.openqa.selenium.chrome.ChromeDriver (session not created: No matching capabilities found Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:25:53' System info: host: 'a77e0051b738', ip: '172.17.0.2', os.name: 'Linux', os.arch: 'amd64', os.version: '4.9.184-linuxkit', java.version: '1.8.0_222' Driver info: driver.version: unknown remote stacktrace: #0 0x55d7b005a7e9 <unknown>
This is serenity.conf:
webdriver { driver = chrome
timeouts {
implicitlywait = 7000
fluentwait = 10000
}
}
headless.mode = false
chrome.capabilities.acceptSslCerts = true
chrome.capabilities.handlesAlerts = true
#
# Chrome options can be defined using the chrome.switches property
#
chrome.switches="""--start-maximized;--test-type;--no-sandbox;--ignore-certificate-errors;
--disable-popup-blocking;--disable-default-apps;--disable-extensions-file-access-check;
--incognito;--homepage=about:blank;--disable-infobars;--disable-gpu"""
webdriver.chrome.driver = "drivers/chromedriver"
webdriver.gecko.driver = "drivers/geckodriver"
I do not know why have this error and how to fix it.
Please help me!
Thanks!
If your node is running in docker then try to configure the drive as remote one.
Here is an example taken directly from serenity documentation (https://serenity-bdd.github.io/theserenitybook/latest/serenity-grid.html#_configuring_your_serenity_tests)
webdriver {
driver = remote
remote {
url="http://localhost:4444/wd/hub"
driver=chrome
}
}
You dont need to set capability for that. You can distinguish between local and remote before running the tests, as given below.
And run as;
mvn clean install verify -Dmaven.test.failure.ignore=true
# Remote
webdriver {
driver = remote
remote {
url="http://YOUR_IP:YOUR_PORT/wd/hub"
driver=chrome
}
}
#Local
#webdriver {
# driver = chrome
#}
zalenium {
screenResolution = "1280x720"
idleTimeout = 150
}
headless.mode=false
serenity {
tag.failures = "true"
linked.tags = "issue"
restart.browser.for.each = scenario
}
drivers {
windows {
webdriver.chrome.driver = src/test/resources/webdriver/windows/chromedriver.exe
}
mac {
webdriver.chrome.driver = src/test/resources/webdriver/mac/chromedriver
}
linux {
webdriver.chrome.driver = src/test/resources/webdriver/linux/chromedriver
}
}
I've tried several ports without success: 8787 is indeed busy serving rstudio. I could redirect rstudio, but shouldn't the following work?
from distributed import Client, LocalCluster
cluster = LocalCluster( scheduler_port = 8785 , n_workers = 2 )
Error:
/home/ec2-user/anaconda3/lib/python3.6/site-packages/distributed/bokeh/core.py:56: UserWarning:
Port 8787 is already in use.
Perhaps you already have a cluster running?
Hosting the diagnostics dashboard on a random port instead.
warnings.warn('\n' + msg)
tornado.application - ERROR - Multiple exceptions in yield list
...
~/anaconda3/lib/python3.6/multiprocessing/forkserver.py in connect_to_new_process(self, fds)
64 raise ValueError('too many fds')
65 with socket.socket(socket.AF_UNIX) as client:
---> 66 client.connect(self._forkserver_address)
67 parent_r, child_w = os.pipe()
68 child_r, parent_w = os.pipe()
ConnectionRefusedError: [Errno 111] Connection refused
I think you need to override the diagnostics_port instead:
https://github.com/dask/distributed/blob/2ec428ae5652f7d068baeb18223fb8a04ab8804e/distributed/deploy/local.py#L45-L49
I have a problem like this. I am very new to hyper ledger fabric. I attach a shell to a running peer container in visual studio code and hit peer node start command in that terminal it gives me an error saying that,
2018-09-13 09:08:04.621 UTC [nodeCmd] status -> INFO 040 Error trying to get status from local peer: rpc error: code = Unknown desc
= access denied
status:UNKNOWN
Error: Error trying to connect to local peer: rpc error: code = Unknown desc = access denied
Can Someone help me to solve this problem? I search a lot but I was unable to find a solution to my problem. Thank You?
edit: the problem is you are using an old card with a new setup. when you create the app and then restarted the environment, it leads to the regeneration of the certificates.
I guess the problem is the FABRIC_VERSION. When you set it to hlfv1 and get bash into peer container (docker exec -it peer0.org1.example.com bash), the peer commands are working properly but when you set it to hlfv12 there are some peer commands are not working. I guess there is something wrong with the startup scripts. There is no "creds" folder exists under hlfv12/composer like hlfv1/composer by the way..
The peer node status command must be called by an administrator of the peer (someone who holds a private key matching one of the public keys in the MSP admincerts folder).
You need to run peer commands on a properly configured (by correct authentication materials) client. In my case it was CLI node.
Peer node logs:
root#bba2c96e744e:/# peer node status
2019-04-04 13:26:18.407 UTC [nodeCmd] status -> INFO 001 Error trying to get status from local peer: rpc error: code = Unknown desc = access denied
status:UNKNOWN
Error: Error trying to connect to local peer: rpc error: code = Unknown desc = access denied
root#bba2c96e744e:/# peer chaincode list --installed
Error: Bad response: 500 - access denied for [getinstalledchaincodes]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]
root#bba2c96e744e:/# peer logging getlevel system
Error: rpc error: code = Unknown desc = access denied
CLI node logs:
root#4079f33980f3:/# peer node status
status:STARTED
root#4079f33980f3:/# peer chaincode list --installed
Get installed chaincodes on peer:
Name: ccc, Version: 1.0, Path: chaincode/ccc, Id: e75e5770a29401d840b46a775854a1bb8576c6d83cf2832dce650d2a984ab29a
root#4079f33980f3:/# peer logging getlevel system
2019-04-04 13:26:02.287 UTC [cli/logging] getLevel -> INFO 001 Current log level for peer module 'system': INFO
I am trying to use the Ruby on Rails Rake command to migrate to an Oracle database. My database.yml file contains the following:
development:
adapter: oracle
database: album_development
sid: orc1
username: system
password: root
On my PC I have set ORACLE_SID=orcl.
When I run Rake,migrate, I get the following error:
rake aborted!
The driver encountered an error: java.sql.SQLException: Listener refused the connection with the following error:
ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
Can you tell me if I need to modify my listener.ora file to get this to work? My listener.ora file is as follows:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = C:\oraclexe\app\oracle\product\11.2.0\server)
(PROGRAM = extproc)
)
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:\oraclexe\app\oracle\product\11.2.0\server)
(PROGRAM = extproc)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = Lenovo-PC)(PORT = 1521))
)
)
DEFAULT_SERVICE_LISTENER = (XE)
The output of the lsnrctl Status command is as follows:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 11.2.0.2.0 - Production
Start Date 21-APR-2016 11:14:15
Uptime 0 days 0 hr. 7 min. 43 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Default Service XE
Listener Parameter File C:\oraclexe\app\oracle\product\11.2.0\server\network\admin\listener.ora
Listener Log File C:\oraclexe\app\oracle\diag\tnslsnr\Lenovo-PC\listener\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Lenovo-PC)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Lenovo-PC)(PORT=8080))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "CLRExtProc" has 1 instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "XEXDB" has 1 instance(s).
Instance "xe", status READY, has 1 handler(s) for this service...
Service "xe" has 1 instance(s).
Instance "xe", status READY, has 1 handler(s) for this service...
The command completed successfully
Can anyone help / make a suggestion?
firstly you can check the database is accessible by using the TNSPING command
e.g: TNSPING xe
could it be you have used a one rather than an L sid: orc1 should be sid: orcl perhaps ?
Kevin,
Thanks for your help. I changed my database.yml to:
development:
adapter: oracle
database: xe
username: system
password: root
This allowed me to connect to the database. I now have another problem, but I think I can tackle that one. Kind regards, Sean