From c08ed981d75585313534d1b55329be97667a8d2d Mon Sep 17 00:00:00 2001
From: n-marton <marton@natko.hu>
Date: Fri, 14 Jan 2022 00:21:27 +0100
Subject: [PATCH 1/5] add parameter to allow the setting of running user for
 container (#120)

* add parameter to allow the setting of running user for container
* use task level user param as source param
---
 containerd/containerd.go | 5 +++++
 containerd/driver.go     | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/containerd/containerd.go b/containerd/containerd.go
index 83d9b8e..4665d1e 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -49,6 +49,7 @@ type ContainerConfig struct {
 	MemoryLimit           int64
 	MemoryHardLimit       int64
 	CPUShares             int64
+	User                  string
 }
 
 func (d *Driver) isContainerdRunning() (bool, error) {
@@ -321,6 +322,10 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 		opts = append(opts, oci.WithLinuxNamespace(specs.LinuxNamespace{Type: specs.NetworkNamespace, Path: containerConfig.NetworkNamespacePath}))
 	}
 
+	if containerConfig.User != "" {
+		opts = append(opts, oci.WithUser(containerConfig.User))
+	}
+
 	ctxWithTimeout, cancel := context.WithTimeout(d.ctxContainerd, 30*time.Second)
 	defer cancel()
 
diff --git a/containerd/driver.go b/containerd/driver.go
index a82e12d..882350c 100644
--- a/containerd/driver.go
+++ b/containerd/driver.go
@@ -469,6 +469,8 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	containerConfig.MemoryHardLimit = cfg.Resources.NomadResources.Memory.MemoryMaxMB * 1024 * 1024
 	containerConfig.CPUShares = cfg.Resources.LinuxResources.CPUShares
 
+	containerConfig.User = cfg.User
+
 	container, err := d.createContainer(&containerConfig, &driverConfig)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Error in creating container: %v", err)

From 16127ebab2ff03d36bb90f46c77d92a6c90b032f Mon Sep 17 00:00:00 2001
From: Shishir <smahajan@roblox.com>
Date: Thu, 13 Jan 2022 15:35:22 -0800
Subject: [PATCH 2/5] Security fixes: upgrade containerd + nomad. (#122)

Signed-off-by: Shishir Mahajan <smahajan@roblox.com>
---
 go.mod |  5 ++---
 go.sum | 13 +++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index 768d77d..3e0829c 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ go 1.12
 require (
 	github.com/NVIDIA/gpu-monitoring-tools v0.0.0-20191126014920-0d8df858cca4 // indirect
 	github.com/containerd/cgroups v1.0.1
-	github.com/containerd/containerd v1.5.8
+	github.com/containerd/containerd v1.5.9
 	github.com/containerd/typeurl v1.0.2
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200330121334-7f8b4b621b5d+incompatible
 	github.com/docker/docker-credential-helpers v0.6.3 // indirect
@@ -16,8 +16,7 @@ require (
 	github.com/hashicorp/go-envparse v0.0.0-20190703193109-150b3a2a4611 // indirect
 	github.com/hashicorp/go-hclog v0.14.1
 	github.com/hashicorp/go-uuid v1.0.2
-	github.com/hashicorp/nomad v1.1.4
-	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/hashicorp/nomad v1.1.8
 	github.com/opencontainers/runc v1.0.3 // indirect
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/spf13/cobra v1.1.1
diff --git a/go.sum b/go.sum
index 80e1cd1..0c28ebc 100644
--- a/go.sum
+++ b/go.sum
@@ -252,8 +252,8 @@ github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7
 github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
 github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
-github.com/containerd/containerd v1.5.8 h1:NmkCC1/QxyZFBny8JogwLpOy2f+VEbO/f6bV2Mqtwuw=
-github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
+github.com/containerd/containerd v1.5.9 h1:rs6Xg1gtIxaeyG+Smsb/0xaSDu1VgFhOCKBXxMxbsF4=
+github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -520,8 +520,9 @@ github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.2 h1:aeE13tS0IiQgFjYdoL8qN3K1N2bXXtI6Vi51/y7BpMw=
 github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -653,8 +654,8 @@ github.com/hashicorp/go-immutable-radix v1.3.0 h1:8exGP7ego3OmkfksihtSouGMZ+hQrh
 github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
 github.com/hashicorp/go-memdb v1.0.3/go.mod h1:LWQ8R70vPrS4OEY9k28D2z8/Zzyu34NVzeRibGAzHO0=
-github.com/hashicorp/go-memdb v1.3.0/go.mod h1:Mluclgwib3R93Hk5fxEfiRhB+6Dar64wWh71LpNSe3g=
 github.com/hashicorp/go-memdb v1.3.1/go.mod h1:Mluclgwib3R93Hk5fxEfiRhB+6Dar64wWh71LpNSe3g=
+github.com/hashicorp/go-memdb v1.3.2/go.mod h1:Mluclgwib3R93Hk5fxEfiRhB+6Dar64wWh71LpNSe3g=
 github.com/hashicorp/go-msgpack v0.0.0-20190927123313-23165f7bc3c2/go.mod h1:CNnb6ZvPKQMR+Hz6QI76TRCBNgyJIxEmTBn+1u8HELw=
 github.com/hashicorp/go-msgpack v0.0.0-20191101193846-96ddbed8d05b h1:lB+3FXrgs94Mz066O5Yz59m3l/O0uEsf2jPiZyUpKTU=
 github.com/hashicorp/go-msgpack v0.0.0-20191101193846-96ddbed8d05b/go.mod h1:gWVc3sv/wbDmR3rQsj1CAktEZzoz1YNK9NfGLXJ69/4=
@@ -716,8 +717,8 @@ github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOn
 github.com/hashicorp/memberlist v0.2.4 h1:OOhYzSvFnkFQXm1ysE8RjXTHsqSRDyP4emusC9K7DYg=
 github.com/hashicorp/memberlist v0.2.4/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/net-rpc-msgpackrpc v0.0.0-20151116020338-a14192a58a69/go.mod h1:/z+jUGRBlwVpUZfjute9jWaF6/HuhjuFQuL1YXzVD1Q=
-github.com/hashicorp/nomad v1.1.4 h1:ZhxrzLJhGzJq9EEG7XFlzhlHviqij1rEzX1Nd5lj3Lk=
-github.com/hashicorp/nomad v1.1.4/go.mod h1:zb5FH723Po1AP4letahIJCeoEq+2LvIgmY21W3kXz4g=
+github.com/hashicorp/nomad v1.1.8 h1:6VZ2DqvCuDRu0gzNNM7nOT5Ql46YMr+2zUuX4hoNhTY=
+github.com/hashicorp/nomad v1.1.8/go.mod h1:V7+6xpyhmj3FPu5IiZz44CpFIOFyHKSNy2jwLDqK0oE=
 github.com/hashicorp/nomad/api v0.0.0-20200529203653-c4416b26d3eb h1:gFssj9eV5on4ZYpwTQl+LTrkebu+qCxuKpISPcMCH88=
 github.com/hashicorp/nomad/api v0.0.0-20200529203653-c4416b26d3eb/go.mod h1:DCi2k47yuUDzf2qWAK8E1RVmWgz/lc0jZQeEnICTxmY=
 github.com/hashicorp/raft v1.1.1/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8=

From f3c452534d70df653f4a95f221cbc6321c1cb6c3 Mon Sep 17 00:00:00 2001
From: Shishir <smahajan@roblox.com>
Date: Tue, 18 Jan 2022 16:25:14 -0800
Subject: [PATCH 3/5] Fix issue #116 - allow relative paths in mounts. (#123)

* Fix issue #116 - allow relative paths in mounts.
* Add test.

Signed-off-by: Shishir Mahajan <smahajan@roblox.com>
---
 containerd/containerd.go                      |  6 +++
 example/mosquitto.nomad                       | 39 +++++++++++++++
 tests/010-test-template-stanza.sh             | 50 +++++++++++++++++++
 ...ileged.sh => 011-test-allow-privileged.sh} |  0
 4 files changed, 95 insertions(+)
 create mode 100644 example/mosquitto.nomad
 create mode 100755 tests/010-test-template-stanza.sh
 rename tests/{010-test-allow-privileged.sh => 011-test-allow-privileged.sh} (100%)

diff --git a/containerd/containerd.go b/containerd/containerd.go
index 4665d1e..5ea3a66 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -251,6 +251,12 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 			return nil, fmt.Errorf("Options cannot be empty for mount type: %s. You need to atleast pass rbind and ro.", mount.Type)
 		}
 
+		// Allow paths relative to $NOMAD_TASK_DIR.
+		// More details: https://github.com/Roblox/nomad-driver-containerd/issues/116#issuecomment-983171458
+		if mount.Type == "bind" && strings.HasPrefix(mount.Source, "local") {
+			mount.Source = containerConfig.TaskDirSrc + mount.Source[5:]
+		}
+
 		m := buildMountpoint(mount.Type, mount.Target, mount.Source, mount.Options)
 		mounts = append(mounts, m)
 	}
diff --git a/example/mosquitto.nomad b/example/mosquitto.nomad
new file mode 100644
index 0000000..50ff634
--- /dev/null
+++ b/example/mosquitto.nomad
@@ -0,0 +1,39 @@
+job "mosquitto" {
+  datacenters = ["dc1"]
+
+  group "msq-group" {
+    task "msq-task" {
+      driver = "containerd-driver"
+
+      config {
+        image           = "ubuntu:16.04"
+        command         = "sleep"
+        args            = ["600s"]
+        mounts = [
+           {
+                type    = "bind"
+                target  = "/mosquitto/config/mosquitto.conf"
+                source  = "local/mosquitto.conf"
+                options = ["rbind", "rw"]
+           }
+        ]
+      }
+
+      template {
+        destination = "local/mosquitto.conf"
+        data = <<EOF
+bind_address 0.0.0.0
+allow_anonymous true
+persistence true
+persistence_location /mosquitto/data/
+log_dest stdout
+EOF
+      }
+
+      resources {
+        cpu    = 500
+        memory = 256
+      }
+    }
+  }
+}
diff --git a/tests/010-test-template-stanza.sh b/tests/010-test-template-stanza.sh
new file mode 100755
index 0000000..cc0acc7
--- /dev/null
+++ b/tests/010-test-template-stanza.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+source $SRCDIR/utils.sh
+
+job_name=mosquitto
+filename="/mosquitto/config/mosquitto.conf"
+
+# test template stanza
+test_template_stanza_nomad_job() {
+    pushd ~/go/src/github.com/Roblox/nomad-driver-containerd/example
+
+    echo "INFO: Starting nomad $job_name job using nomad-driver-containerd."
+    nomad job run -detach $job_name.nomad
+
+    # Even though $(nomad job status) reports job status as "running"
+    # The actual container process might not be running yet.
+    # We need to wait for actual container to start running before trying exec.
+    echo "INFO: Wait for ${job_name} container to get into RUNNING state, before trying exec."
+    is_container_active ${job_name} true
+
+    echo "INFO: Checking status of $job_name job."
+    job_status=$(nomad job status -short $job_name|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ')
+    if [ "$job_status" != "running" ];then
+        echo "ERROR: Error in getting ${job_name} job status."
+        exit 1
+    fi
+
+    # Check if bind mount exists.
+    echo "INFO: Checking if bind mount was successful and $filename exists."
+    nomad alloc exec -job $job_name cat $filename >/dev/null 2>&1
+    rc=$?
+    if [ $rc -ne 0 ]; then
+       echo "ERROR: bind mount was unsuccessful. $filename does not exist."
+       exit 1
+    fi
+
+    echo "INFO: Stopping nomad ${job_name} job."
+    nomad job stop -detach ${job_name}
+    job_status=$(nomad job status -short ${job_name}|grep Status|awk '{split($0,a,"="); print a[2]}'|tr -d ' ')
+    if [ $job_status != "dead(stopped)" ];then
+        echo "ERROR: Error in stopping ${job_name} job."
+        exit 1
+    fi
+
+    echo "INFO: purge nomad ${job_name} job."
+    nomad job stop -detach -purge ${job_name}
+    popd
+}
+
+test_template_stanza_nomad_job
diff --git a/tests/010-test-allow-privileged.sh b/tests/011-test-allow-privileged.sh
similarity index 100%
rename from tests/010-test-allow-privileged.sh
rename to tests/011-test-allow-privileged.sh

From c564dd2e58cff25f5e768b754258a44d5e3bf800 Mon Sep 17 00:00:00 2001
From: n-marton <marton@natko.hu>
Date: Thu, 20 Jan 2022 19:28:03 +0100
Subject: [PATCH 4/5] fix entrypoint override (#124)

In case of entrypoint override, image config needs to be passed.
---
 containerd/containerd.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/containerd/containerd.go b/containerd/containerd.go
index 5ea3a66..9dc7e81 100644
--- a/containerd/containerd.go
+++ b/containerd/containerd.go
@@ -136,6 +136,7 @@ func (d *Driver) createContainer(containerConfig *ContainerConfig, config *TaskC
 	var opts []oci.SpecOpts
 
 	if config.Entrypoint != nil {
+		opts = append(opts, oci.WithImageConfig(containerConfig.Image))
 		// WithProcessArgs replaces the args on the generated spec.
 		opts = append(opts, oci.WithProcessArgs(args...))
 	} else {

From 99298e9c9ce6286dc2c6ad2b2a351c905259a054 Mon Sep 17 00:00:00 2001
From: Jonathan Cross <>
Date: Tue, 25 Jan 2022 08:21:58 -0500
Subject: [PATCH 5/5] rename test file numbers

---
 tests/{011-test-annotations.sh => 012-test-annotations.sh}       | 0
 tests/{012-test-runtime-gvisor.sh => 014-test-runtime-gvisor.sh} | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename tests/{011-test-annotations.sh => 012-test-annotations.sh} (100%)
 rename tests/{012-test-runtime-gvisor.sh => 014-test-runtime-gvisor.sh} (100%)

diff --git a/tests/011-test-annotations.sh b/tests/012-test-annotations.sh
similarity index 100%
rename from tests/011-test-annotations.sh
rename to tests/012-test-annotations.sh
diff --git a/tests/012-test-runtime-gvisor.sh b/tests/014-test-runtime-gvisor.sh
similarity index 100%
rename from tests/012-test-runtime-gvisor.sh
rename to tests/014-test-runtime-gvisor.sh