Prepare to support Nomad 1.8 (#258)

.github/renovate.json5

@@ -30,7 +30,7 @@
       "automerge": true
     },
     {
-      "matchFileNames": ["v1.7.x/**"],
+      "matchFileNames": ["v1.8.x/**"],
       "matchPackageNames": ["hashicorp/nomad"],
       "ignoreUnstable": false,
       "groupName": "nomad-latest",
@@ -65,5 +65,11 @@
       "allowedVersions": "<=1.6",
       "groupName": "nomad-1.6.x",
     },
+    {
+      "matchFileNames": ["v1.7.x/**"],
+      "matchPackageNames": ["hashicorp/nomad"],
+      "allowedVersions": "<=1.7",
+      "groupName": "nomad-1.7.x",
+    },
   ],
 }

.github/workflows/v1.8.x-build.yml

@@ -0,0 +1,22 @@
+name: "v1.8.x: build"
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - v1.8.x/**
+
+  pull_request:
+    branches:
+      - master
+    paths:
+      - v1.8.x/**
+
+jobs:
+  test:
+    name: Test
+    uses: ./.github/workflows/template-build.yml
+    with:
+      platforms: linux/amd64,linux/arm/v7,linux/arm64
+      directory: v1.8.x

.github/workflows/v1.8.x-create-tag.yml

@@ -0,0 +1,19 @@
+name: "v1.8.x: create tag"
+
+on:
+  push:
+    branches:
+      - master
+
+    paths:
+      - v1.8.x/nomad-version
+
+jobs:
+  tag:
+    name: Tag
+    permissions:
+      contents: write
+    uses: ./.github/workflows/template-create-tag.yml
+    secrets: inherit
+    with:
+      directory: v1.8.x

.github/workflows/v1.8.x-release.yml

@@ -0,0 +1,19 @@
+name: "v1.8.x: release"
+
+on:
+  push:
+    tags:
+      - 1.8.**
+
+jobs:
+  release:
+    name: Release
+    permissions:
+      contents: write
+      packages: write
+      discussions: write
+    uses: ./.github/workflows/template-release.yml
+    secrets: inherit
+    with:
+      platforms: linux/amd64,linux/arm/v7,linux/arm64
+      directory: v1.8.x

v1.8.x/Dockerfile

@@ -0,0 +1,60 @@
+FROM --platform=$TARGETPLATFORM debian:12.2-slim
+
+# Fetch the target information injected by Docker build
+ARG TARGETOS
+ARG TARGETARCH
+
+SHELL ["/bin/bash", "-x", "-c", "-o", "pipefail"]
+
+# https://releases.hashicorp.com/nomad/
+ARG NOMAD_VERSION
+RUN test -n "$NOMAD_VERSION" || (echo "NOMAD_VERSION argument must be set" && false)
+
+RUN groupadd nomad \
+  && useradd --system --gid nomad nomad \
+  && mkdir --parents /nomad/data \
+  && mkdir --parents /etc/nomad \
+  && chown --recursive nomad:nomad /nomad /etc/nomad
+
+# Allow to fetch artifacts from TLS endpoint during the builds and by Nomad after.
+# Install timezone data so we can run Nomad periodic jobs containing timezone information
+RUN apt-get update \
+  && apt-get install --yes --no-install-recommends \
+    ca-certificates \
+    dumb-init \
+    libcap2 \
+    tzdata \
+  && update-ca-certificates \
+  && rm -rf /var/lib/apt/lists/*
+
+ADD https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
+    nomad_${NOMAD_VERSION}_${TARGETOS}_${TARGETARCH}.zip
+ADD https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS \
+    nomad_${NOMAD_VERSION}_SHA256SUMS
+ADD https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS.sig \
+    nomad_${NOMAD_VERSION}_SHA256SUMS.sig
+
+RUN apt-get update \
+  && apt-get install --yes --no-install-recommends \
+    gnupg \
+    unzip \
+  && GNUPGHOME="$(mktemp -d)" \
+  && export GNUPGHOME \
+  && gpg --keyserver pgp.mit.edu --keyserver keys.openpgp.org --keyserver keyserver.ubuntu.com --recv-keys "C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F" \
+  && gpg --batch --verify nomad_${NOMAD_VERSION}_SHA256SUMS.sig nomad_${NOMAD_VERSION}_SHA256SUMS \
+  && grep nomad_${NOMAD_VERSION}_${TARGETOS}_${TARGETARCH}.zip nomad_${NOMAD_VERSION}_SHA256SUMS | sha256sum -c \
+  && unzip -d /bin nomad_${NOMAD_VERSION}_${TARGETOS}_${TARGETARCH}.zip \
+  && chmod +x /bin/nomad \
+  && rm -rf "$GNUPGHOME" nomad_${NOMAD_VERSION}_${TARGETOS}_${TARGETARCH}.zip nomad_${NOMAD_VERSION}_SHA256SUMS nomad_${NOMAD_VERSION}_SHA256SUMS.sig \
+  && apt-get autoremove --purge --yes \
+      gnupg \
+      unzip \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN nomad version
+
+EXPOSE 4646 4647 4648 4648/udp
+
+COPY start.sh /usr/local/bin/
+
+ENTRYPOINT ["/usr/local/bin/start.sh"]

v1.8.x/nomad-version

@@ -0,0 +1 @@
+1.8.0-beta.1

v1.8.x/start.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/dumb-init /bin/sh
+# shellcheck shell=dash
+# Script created following Hashicorp's model for Consul:
+# https://github.com/hashicorp/docker-consul/blob/master/0.X/docker-entrypoint.sh
+# Comments in this file originate from the project above, simply replacing 'Consul' with 'Nomad'.
+set -e
+
+# Note above that we run dumb-init as PID 1 in order to reap zombie processes
+# as well as forward signals to all processes in its session. Normally, sh
+# wouldn't do either of these functions so we'd leak zombies as well as do
+# unclean termination of all our sub-processes.
+# As of docker 1.13, using docker run --init achieves the same outcome.
+
+# NOMAD_DATA_DIR is exposed as a volume for possible persistent storage. The
+# NOMAD_CONFIG_DIR isn't exposed as a volume but you can compose additional
+# config files in there if you use this image as a base, or use NOMAD_LOCAL_CONFIG
+# below.
+NOMAD_DATA_DIR=${NOMAD_DATA_DIR:-"/nomad/data"}
+NOMAD_CONFIG_DIR=${NOMAD_CONFIG_DIR:-"/etc/nomad"}
+
+# You can also set the NOMAD_LOCAL_CONFIG environemnt variable to pass some
+# Nomad configuration JSON without having to bind any volumes.
+if [ -n "$NOMAD_LOCAL_CONFIG" ]; then
+    echo "$NOMAD_LOCAL_CONFIG" > "$NOMAD_CONFIG_DIR/local.json"
+fi
+
+# If the user is trying to run Nomad directly with some arguments, then
+# pass them to Nomad.
+if [ "$(printf "%s" "$1" | cut -c 1)" = '-' ]; then
+    set -- nomad "$@"
+fi
+
+# Look for Nomad subcommands.
+if [ "$1" = 'agent' ]; then
+    shift
+    set -- nomad agent \
+        -data-dir="$NOMAD_DATA_DIR" \
+        -config="$NOMAD_CONFIG_DIR" \
+        "$@"
+elif [ "$1" = 'version' ]; then
+    # This needs a special case because there's no help output.
+    set -- nomad "$@"
+elif nomad --help "$1" 2>&1 | grep -q "nomad $1"; then
+    # We can't use the return code to check for the existence of a subcommand, so
+    # we have to use grep to look for a pattern in the help output.
+    set -- nomad "$@"
+fi
+
+# If we are running Nomad, make sure it executes as the proper user.
+if [ "$1" = 'nomad' ] && [ -z "${NOMAD_DISABLE_PERM_MGMT+x}" ]; then
+    # If the data or config dirs are bind mounted then chown them.
+    # Note: This checks for root ownership as that's the most common case.
+    if [ "$(stat -c %u "$NOMAD_DATA_DIR")" != "$(id -u root)" ]; then
+        chown root:root "$NOMAD_DATA_DIR"
+    fi
+
+    # If requested, set the capability to bind to privileged ports before
+    # we drop to the non-root user. Note that this doesn't work with all
+    # storage drivers (it won't work with AUFS).
+    if [ -n "${NOMAD+x}" ]; then
+        setcap "cap_net_bind_service=+ep" /bin/nomad
+    fi
+
+    exec runuser -u root -- "$@"
+fi
+
+exec "$@"