bsdpot / nomad-pot-driver

Nomad task driver for launching freebsd jails.
Apache License 2.0
84 stars 14 forks source link

Env vars are inserted unquoted #36

Closed zilti closed 1 year ago

zilti commented 1 year ago

The pot driver inserts values from the env block unquoted; meaning

env {
    somevar = "blah ; blah"
}

will turn into pot set-env -p mypot -E somevar=blah ; blah ..., which makes the deployment fail.

Workaround for me right now: putting single quotes inside the double quotes to quote the values myself.

grembo commented 1 year ago

Thanks for reporting.

Personally, I'm using something like this at the moment, so I didn't notice:

      template {
        data = <<-EOH
CONSUL_AGENT_URL=http://10.1.0.1:8500
RUST_LOG=info
        EOH
        destination = "${NOMAD_TASK_DIR}/environment"
        change_mode = "noop"
      }

(by workload reads in the environment from that file before starting the daemon).

Note that args works the same at the moment, hence the example:

        args = ["-g","'daemon off;'"]

I think for args this is on purpose, but for env it's wrong (I haven't tested, but this looks like it allows to execute arbitrary commands on the jailhost).

zilti commented 1 year ago

Yes, pretty sure it allows to execute arbitrary commands as well. I've seen that there are numerous different shell-quoting libraries for Go, so I decided to not make a pull request, but if you have a suggestion, I could work on it.