Skip to content

Instantly share code, notes, and snippets.

@angrycub

angrycub/repro.sh

Last active January 17, 2022 12:42
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save angrycub/ca099b3709e995e2c33b768b866548e9 to your computer and use it in GitHub Desktop.
Save angrycub/ca099b3709e995e2c33b768b866548e9 to your computer and use it in GitHub Desktop.
Download ZIP
Spin up a dev agent with ACLs enabled for simple test cases.
Raw
repro.sh
#!/bin/bash
NOMAD_VERSION="1.0.4"
wait() {
if [[ "$1" != "" ]]
then
message="⌛️ $1..."
else
message="⌛️ Press any key to continue..."
fi
read -p "${message}" -n1 -s
}
myOS=$(uname -s|tr 'A-Z' 'a-z')
myUnameArch=$(uname -m|tr 'A-Z' 'a-z')
case "${myUnameArch}" in
x86_64)
myArch="amd64"
;;
*)
echo "Unsupported architecture: ${myUnameArch}"
exit 1
;;
esac
tempfoo=`basename $0`
TMPDIR=`mktemp -q -d /tmp/${tempfoo}.XXXXXX`
if [ $? -ne 0 ]; then
echo "$0: Can't create temp file, exiting..."
exit 1
fi
echo "📂 Using ${TMPDIR} as working directory..."
cd $TMPDIR
echo "Fetching Nomad v${NOMAD_VERSION}..."
curl -sSL https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_${myOS}_${myArch}.zip > nomad.zip
unzip nomad.zip
rm nomad.zip
chmod +x nomad
echo 🧼 Cleaning environment variables...
unset NOMAD_ADDR NOMAD_TOKEN NOMAD_CAFILE NOMAD_CAPATH NOMAD_CERT_FILE NOMAD_KEY_FILE
echo 📄 Creating required files
# Create submit job only policy definition
cat <<EOH > submit-job.policy.hcl
namespace "default" {
policy = "read"
capabilities = ["submit-job","dispatch-job","read-logs","alloc-exec"]
}
EOH
cat <<EOH > example.nomad
job "example" {
datacenters = ["dc1"]
group "group" {
task "test" {
driver = "raw_exec"
config {
command = "bash"
args = ["-c","while true; do echo $(date); sleep 5; done"]
}
}
}
}
EOH
echo 🚦 Starting up a Nomad dev agent with ACLs enabled.
#./nomad agent -dev -acl-enabled > nomad.log &
./nomad agent -dev -acl-enabled > nomad.log 2>&1 &
nomadPID=$!
echo -n 📝 Waiting for Nomad to start up...
until curl -s http://127.0.0.1:4646/v1/agent/health > /dev/null
do
echo -n .
sleep 1
done
echo ""
echo "🥾 Bootstrapping ACLs..."
./nomad acl bootstrap | tee nomad_bootstrap.out
adminToken=$(awk '/Secret/ {print $4}' nomad_bootstrap.out)
echo "👮 Building the submit-job policy..."
export NOMAD_TOKEN=$adminToken
./nomad acl policy apply -description "Submit Job" submit-job submit-job.policy.hcl
echo "🪙 Creating a token with submit-job..."
./nomad acl token create -policy=submit-job | tee submit-job.token.out
submitOnlyToken=$(awk '/Secret/ {print $4}' submit-job.token.out)
echo "🏃 Running the example with the submit-only token..."
export NOMAD_TOKEN=$submitOnlyToken
./nomad job run example.nomad
./nomad status
./nomad status example
allocID=$(nomad alloc status -t '{{range .}}{{if eq .JobID "example"}}{{printf "%s" .ID}}{{end}}{{end}}')
./nomad alloc logs $allocID
# This command should fail because the sample job is a raw_exec.
echo ""
echo "This next command *should* error because the sample job is raw_exec and"
echo "the policy does not provide \`alloc-node-exec\`."
./nomad alloc exec $allocID /bin/bash
echo ""
echo "For your exploration"
echo "===================="
echo ""
echo "Directory:"
echo " - ${TMPDIR}"
echo "Tokens:"
echo " - bootstrap: ${adminToken}"
echo " - submit-job: ${submitOnlyToken}"
echo ""
wait "Press any key to conclude and clean up the repro environment"
echo ""
echo "✨ Cleaning up..."
./nomad job stop example
kill -9 $nomadPID
cd -
rm -rf $TMPDIR
echo "Done."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment