How to run nomad raw_exec task as non-root user

Question

It is possible to run processes for the Nomad raw_exec driver inside a task as non-root users? Ideally want to run nomad as root and then do drop privileges to run a command as the target user:

job "show_id_job" {
  datacenters = ["dc1"]
  priority = 100
  type = "batch"
  constraint {
    attribute = "${attr.unique.hostname}"
    value = "myhost.company.com"
  }
  group "show_id_group" {
    network {
      mode = "host"
    }
    task "show_id" {
      driver = "raw_exec"
      config {
        command = "/usr/bin/su"
        args = ["--login", "regularuser", "/usr/bin/id"]
      }
    }
  }
}

But when I run this job it fails:

Oct 23 19:51:03 myhost.company.com nomad[300160]: client: allocation updates applied: added=0 removed=0 updated=4 ignored=4 errors=0
Oct 23 19:51:03 myhost.company.com su[385531]: pam_unix(su-l:session): session closed for user regularuser
Oct 23 19:51:03 myhost.company.com nomad[300160]:     2020-10-23T19:51:03.822-0400 [ERROR] client.driver_mgr.raw_exec: error receiving stream from Stats executor RPC, closing stream: alloc_id=fbe2e6d9-930e-acff-83c7-9d0f83b2e085 driver=raw_exec task_name=show_id error="rpc error: code = Unavailable desc = transport is closing"
Oct 23 19:51:03 myhost.company.com nomad[300160]:     2020-10-23T19:51:03.822-0400 [ERROR] client.alloc_runner.task_runner.task_hook.stats_hook: failed to start stats collection for task: alloc_id=fbe2e6d9-930e-acff-83c7-9d0f83b2e085 task=show_id error="rpc error: code = Canceled desc = grpc: the client connection is closing"

I could not find in the documentation any parameters that could allow me to do the same

Has anyone run into this issue?

Thanks!

Answer 1

It is not possible with raw_exec (documentation says it is supported with driver=docker or driver=exec). You can also run nomad as a non-privileged user.