There is a problem with NOMAD TLS

[Richmod You]

Hey

   I have  2 Nomad Servers and 3 Nomad Client, Servers and Clients are as follows：

  

   vm1-Server:4646(TLS: Enable)  vm1-Client:5656(TLS: Enable)

   vm2-Server:4646(TLS: Enable)  vm2-Client:5656(TLS: Enable)

                                                       vm3-Client:4646(TLS: Is Not Enable)

   All Servers and Clients have enabled TLS without vm3-client, but vm3-client can still connect to the Nomad cluster and perform Job operations.

  This does not seem safe, anyone who knows the Nomad Server can operate the job on the cluster without certificate authentication.

  How do I disable a Nomad Client connection without a certificate?

  Vm1-Server nomad server.hcl:

$ more /etc/nomad.d/server.hcl 

# Increase log verbosity

log_level = "DEBUG"

bind_addr = "0.0.0.0" # the default

# Setup data dir

data_dir = "/tmp/server1"

advertise {

    http = "192.168.100.11"

    rpc  = "192.168.100.11"

    serf = "192.168.100.11"

}

# Enable the server

server {

    enabled = true

    # Self-elect, should be 3 or 5 for production

    bootstrap_expect = 1

    encrypt = "r8t56rvPj9XZPQ0KGh4F+A=="

}

tls {

  http = true

  rpc = true

  ca_file = "/etc/nomad.d/ca.pem"

  cert_file = "/etc/nomad.d/nomad.pem"

  key_file  = "/etc/nomad.d/nomad-key.pem"

  verify_server_hostname = true

}

vm3-Client's Nomad client.hcl : 

$ more /etc/nomad.d/client.hcl 
# Increase log verbosity
log_level = "DEBUG"
bind_addr = "0.0.0.0" # the default
# Setup data dir
data_dir = "/tmp/nomadClient1"
datacenter = "dc1"
# Enable the Client
client {
enabled = true
}
advertise {
    http = "192.168.100.13"
    rpc  = "192.168.100.13"
    #serf = "192.168.100.13"
}

vm3 can connected Nomad cluster.

ubuntu@my-vm-03:~$ nomad status
No running jobs
ubuntu@my-vm-03:~$ nomad node-status
ID        DC   Name      Class   Drain  Status
4258fda2  dc1  my-vm-03  <none>  false  ready
387548ed  dc1  my-vm-02  <none>  false  ready
740e61ba  dc1  my-vm-01  <none>  false  ready
ubuntu@my-vm-03:~$ nomad server-members
Name             Address         Port  Status  Leader  Protocol  Build  Datacenter  Region
my-vm-01.global  192.168.100.11  4648  alive   true    2         0.5.5  dc1         global
my-vm-02.global  192.168.100.12  4648  alive   false   2         0.5.5  dc1         global

 vm 3 can operate job on Nomad cluster.

ubuntu@my-vm-03:~$ nomad run job_system.nomad 
==> Monitoring evaluation "089e62fb"
    Evaluation triggered by job "mysystem"
    Allocation "197c2eba" created: node "387548ed", group "web"
    Allocation "43961718" created: node "740e61ba", group "web"
    Allocation "df6a5087" created: node "4258fda2", group "web"
    Evaluation status changed: "pending" -> "complete"
==> Evaluation "089e62fb" finished with status "complete"

 

[Michael Schurter]

You're absolutely right, and this is not the intended behavior.

The intended behavior is that if you configure TLS on the servers, then you must configure it for all clients as well.

Since HTTP does not require TLS in Nomad 0.5 this does not radically change the security properties of TLS in Nomad. TLS can provide secure communication between Nomad agents, but it does not offer network isolation (due to not requiring HTTP clients to use client certificates).

I opened an issue here: https://github.com/hashicorp/nomad/issues/2525 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/nomad/issues
IRC: #nomad-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Nomad" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomad-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomad-tool/6c70258e-70e8-47bd-8e74-33321ceb912c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.