Skip to content
This repository has been archived by the owner on Nov 19, 2020. It is now read-only.
/ damon Public archive

Supervisor program to constrain Windows executables running under Nomad's raw_exec driver

License

Notifications You must be signed in to change notification settings

jet/damon

Repository files navigation

NOTICE: SUPPORT FOR THIS PROJECT ENDED ON 18 November 2020

This projected was owned and maintained by Jet.com (Walmart). This project has reached its end of life and Walmart no longer supports this project.

We will no longer be monitoring the issues for this project or reviewing pull requests. You are free to continue using this project under the license terms or forks of this project at your own risk. This project is no longer subject to Jet.com/Walmart's bug bounty program or other security monitoring.

Actions you can take

We recommend you take the following action:

  • Review any configuration files used for build automation and make appropriate updates to remove or replace this project
  • Notify other members of your team and/or organization of this change
  • Notify your security team to help you evaluate alternative options

Forking and transition of ownership

For security reasons, Walmart does not transfer the ownership of our primary repos on Github or other platforms to other individuals/organizations. Further, we do not transfer ownership of packages for public package management systems.

If you would like to fork this package and continue development, you should choose a new name for the project and create your own packages, build automation, etc.

Please review the licensing terms of this project, which continue to be in effect even after decommission.

ORIGINAL README BELOW


Build status

Damon

Damon is a supervisor program to constrain windows executables that are run under the raw_exec driver in Nomad.

Usage

To use Damon, run it before your command.

damon.exe yourapp.exe [args]

Configuration

Damon uses environment variables to configure process monitoring and resource constraints.

Logging Options

  • DAMON_LOG_MAX_FILES: the number of old logs to keep after rotating.
  • DAMON_LOG_MAX_SIZE: the maximum size (in MB) of the active log file before it gets rotated.
  • DAMON_LOG_DIR: directory in which to place damon log files. When DAMON_LOG_DIR is unset, it will attempt to use the standard nomad log directory ${NOMAD_ALLOC_DIR}/logs. If NOMAD_ALLOC_DIR is unset, then it will default to the current working directory.
  • DAMON_NOMAD_LOG_SUFFIX: Is appended to the log name of the active log file. Rotated log files contain a datestamp. The default value is .damon.log
  • DAMON_LOG_NAME: Is the full name of the log file (without the directory) - Setting this overrides DAMON_NOMAD_LOG_SUFFIX. When this is unset, it will default to ${NOMAD_TASK_NAME}${DAMON_NOMAD_LOG_SUFFIX}

Constraint Options

  • DAMON_ENFORCE_CPU_LIMIT: When set to Y - it enforces CPU constraints on the wrapped process. Set to 'N' to disable CPU-rate limits. (Default: 'Y')
  • DAMON_ENFORCE_MEMORY_LIMIT: When set to Y - it enforces memory limits on the wrapped process. Set to 'N' to disable memory limits. (Default: 'Y')
  • DAMON_CPU_LIMIT: The CPU Limit in MHz. Defaults to NOMAD_CPU_LIMIT.
  • DAMON_MEMORY_LIMIT: The Memory Limit in MB. Defaults to NOMAD_MEMORY_LIMIT.
  • DAMON_RESTRICTED_TOKEN: When set to Y - it runs the wrapped process with a Restricted Token:
    • Drops all Privileges
    • Disables the BUILTIN\Administrator SID

Metrics Options

  • DAMON_ADDR: Listens on this address to serve prometheus metrics. Default: ${NOMAD_ADDR_damon} This option is designed to work with the NOMAD_ADDR_damon environment variable. This means you should change your job spec to:
    • request a port labeled "damon"
    • add a service to the task that advertises the "damon" port to Consul service discovery - so that your prometheus infrastructure can find it and scrape it.
  • DAMON_METRICS_ENDPOINT: The path to the prometheus metrics endpoint. Default: /metrics

Building & Testing Damon

Included with this repository is make.ps1 which can be used to build damon.exe and also run tests.

Build Binary

.\make.ps1 -Build

Lint Code

Runs golangci-lint against the codebase. It will Install golangci-lint if it doesn't exist in ${GOPATH}/bin.

.\make.ps1 -Lint

Test Code

Runs tests and generates code coverage files.

.\make.ps1 -Test

Give it a Try

Check out the examples directory for scripts and job definitions.

Be sure to alter to environment variables, artifact locations, etc... to match your environment.

About

Supervisor program to constrain Windows executables running under Nomad's raw_exec driver

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published