2015-09-20 22:31:33 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
|
|
|
page_title: "Drivers: Docker"
|
2015-09-25 02:35:52 +00:00
|
|
|
sidebar_current: "docs-drivers-docker"
|
2015-09-20 22:31:33 +00:00
|
|
|
description: |-
|
|
|
|
The Docker task driver is used to run Docker based tasks.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Docker Driver
|
|
|
|
|
2015-09-25 02:35:52 +00:00
|
|
|
Name: `docker`
|
2015-09-20 22:31:33 +00:00
|
|
|
|
2015-09-25 02:35:52 +00:00
|
|
|
The `docker` driver provides a first-class Docker workflow on Nomad. The Docker
|
2015-09-25 02:33:06 +00:00
|
|
|
driver handles downloading containers, mapping ports, and starting, watching,
|
2015-09-29 21:00:48 +00:00
|
|
|
and cleaning up after containers.
|
2015-09-20 22:31:33 +00:00
|
|
|
|
2015-09-25 02:33:06 +00:00
|
|
|
## Task Configuration
|
|
|
|
|
2015-09-25 06:40:30 +00:00
|
|
|
The `docker` driver supports the following configuration in the job specification:
|
2015-09-25 02:33:06 +00:00
|
|
|
|
|
|
|
* `image` - (Required) The Docker image to run. The image may include a tag or
|
|
|
|
custom URL. By default it will be fetched from Docker Hub.
|
|
|
|
|
2015-09-26 06:28:23 +00:00
|
|
|
* `command` - (Optional) The command to run when starting the container.
|
|
|
|
|
2015-10-16 00:28:25 +00:00
|
|
|
* `args` - (Optional) Arguments to the optional `command`. If no `command` is
|
|
|
|
present, `args` are ignored.
|
|
|
|
|
2015-10-01 02:15:24 +00:00
|
|
|
* `network_mode` - (Optional) The network mode to be used for the container.
|
2015-10-02 23:11:38 +00:00
|
|
|
Valid options are `default`, `bridge`, `host` or `none`. If nothing is
|
2015-10-01 02:15:24 +00:00
|
|
|
specified, the container will start in `bridge` mode. The `container`
|
2015-10-13 20:31:56 +00:00
|
|
|
network mode is not supported right now and is reported as an invalid
|
|
|
|
option.
|
2015-10-01 02:15:24 +00:00
|
|
|
|
2015-11-05 18:47:41 +00:00
|
|
|
* `privileged` - (optional) Privileged mode gives the container full access to
|
|
|
|
the host. Valid options are `"true"` and `"false"` (defaults to `"false"`).
|
2015-11-06 18:38:54 +00:00
|
|
|
Tasks with `privileged` set can only run on Nomad Agents with
|
|
|
|
`docker.privileged.enabled = "true"`.
|
2015-11-05 18:47:41 +00:00
|
|
|
|
|
|
|
* `dns-servers` - (optional) A comma separated list of DNS servers for the container
|
|
|
|
to use (e.g. "8.8.8.8,8.8.4.4"). *Docker API v1.10 and above only*
|
|
|
|
|
|
|
|
* `search-domains` - (optional) A comma separated list of DNS search domains for the
|
|
|
|
container to use.
|
2015-11-17 06:44:44 +00:00
|
|
|
|
2015-11-17 07:14:28 +00:00
|
|
|
* `hostname` - (optional) The hostname to assign to the container. When launching more
|
|
|
|
than one of a task (using `count`) with this option set, every container the task
|
|
|
|
starts will have the same hostname.
|
2015-11-05 18:47:41 +00:00
|
|
|
|
|
|
|
**Authentication**
|
|
|
|
Registry authentication can be set per task with the following authentication
|
|
|
|
parameters. These options can provide access to private repositories that
|
|
|
|
utilize the docker remote api (e.g. dockerhub, quay.io)
|
|
|
|
- `auth.username` - (optional) The account username
|
|
|
|
- `auth.password` - (optional) The account password
|
|
|
|
- `auth.email` - (optional) The account email
|
|
|
|
- `auth.server-address` - (optional) The server domain/ip without the protocol
|
|
|
|
|
2015-09-25 02:33:06 +00:00
|
|
|
### Port Mapping
|
|
|
|
|
|
|
|
Nomad uses port binding to expose services running in containers using the port
|
|
|
|
space on the host's interface. For example, Nomad host running on `1.2.3.4` may
|
|
|
|
allocate port `22333` to a task, so you would access that service via
|
|
|
|
`1.2.3.4:22333`.
|
|
|
|
|
2015-09-25 06:40:30 +00:00
|
|
|
Nomad provides automatic and manual mapping schemes for Docker. You can use
|
2015-09-25 02:33:06 +00:00
|
|
|
either or both schemes for a task. Nomad binds both tcp and udp protocols to
|
|
|
|
ports used for Docker containers. This is not configurable.
|
|
|
|
|
2015-09-25 23:49:26 +00:00
|
|
|
Note: You are not required to map any ports, for example if your task is running
|
|
|
|
a crawler or aggregator and does not provide a network service. Tasks without a
|
|
|
|
port mapping will still be able to make outbound network connections.
|
|
|
|
|
2015-09-25 02:33:06 +00:00
|
|
|
#### Automatic Port Mapping
|
|
|
|
|
|
|
|
Typically when you create a Docker container you configure the service to start
|
|
|
|
listening on a port (or ports) when you start the container. For example, redis
|
2015-10-17 21:56:05 +00:00
|
|
|
starts listening on `6379` when you `docker run redis`. Nomad can support this by
|
2015-10-17 17:54:17 +00:00
|
|
|
mapping a random port on the host machine to the port inside the container.
|
2015-09-25 02:33:06 +00:00
|
|
|
|
|
|
|
You need to tell Nomad which ports your container is using so Nomad can map
|
|
|
|
allocated ports for you. You do so by specifying a **numeric port value** for
|
|
|
|
the `dynamic_ports` option in your job specification.
|
|
|
|
|
|
|
|
```
|
|
|
|
dynamic_ports = ["6379"]
|
|
|
|
# or
|
|
|
|
dynamic_ports = [6379]
|
|
|
|
```
|
|
|
|
|
|
|
|
This instructs Nomad to create a port mapping from the random port on the host
|
|
|
|
to the port inside the container. So in our example above, when you contact the
|
|
|
|
host on `1.2.3.4:22333` you will actually hit the service running inside the
|
|
|
|
container on port `6379`. You can see which port was actually bound by reading the
|
|
|
|
`NOMAD_PORT_6379` [environment variable](/docs/jobspec/environment.html).
|
|
|
|
|
|
|
|
In most cases, the automatic port mapping will be the easiest to use, but you
|
|
|
|
can also use manual port mapping (described below).
|
|
|
|
|
|
|
|
#### Manual Port Mapping
|
|
|
|
|
|
|
|
The `dynamic_ports` option takes any alphanumeric string as a label, so you could
|
|
|
|
also specify a label for the port like `http` or `admin` to designate how the
|
|
|
|
port will be used.
|
|
|
|
|
|
|
|
In this case, Nomad doesn't know which container port to map to, so it maps 1:1
|
|
|
|
with the host port. For example, `1.2.3.4:22333` will map to `22333` inside the
|
|
|
|
container.
|
|
|
|
|
|
|
|
```
|
|
|
|
dynamic_ports = ["http"]
|
|
|
|
```
|
|
|
|
|
|
|
|
Your process will need to read the `NOMAD_PORT_HTTP` environment variable to
|
|
|
|
determine which port to bind to.
|
|
|
|
|
|
|
|
## Client Requirements
|
|
|
|
|
|
|
|
Nomad requires Docker to be installed and running on the host alongside the Nomad
|
2015-09-25 18:29:38 +00:00
|
|
|
agent. Nomad was developed against Docker `1.8.2`.
|
|
|
|
|
|
|
|
By default Nomad communicates with the Docker daemon using the daemon's
|
2015-09-25 02:33:06 +00:00
|
|
|
unix socket. Nomad will need to be able to read/write to this socket. If you do
|
|
|
|
not run Nomad as root, make sure you add the Nomad user to the Docker group so
|
|
|
|
Nomad can communicate with the Docker daemon.
|
|
|
|
|
2015-09-25 18:29:38 +00:00
|
|
|
For example, on ubuntu you can use the `usermod` command to add the `vagrant` user to the
|
|
|
|
`docker` group so you can run Nomad without root:
|
|
|
|
|
|
|
|
sudo usermod -G docker -a vagrant
|
|
|
|
|
2015-09-25 02:33:06 +00:00
|
|
|
For the best performance and security features you should use recent versions of
|
|
|
|
the Linux Kernel and Docker daemon.
|
|
|
|
|
2015-09-25 06:40:30 +00:00
|
|
|
## Client Configuration
|
|
|
|
|
|
|
|
The `docker` driver has the following configuration options:
|
|
|
|
|
|
|
|
* `docker.endpoint` - Defaults to `unix:///var/run/docker.sock`. You will need
|
|
|
|
to customize this if you use a non-standard socket (http or another location).
|
|
|
|
|
2015-10-08 07:08:54 +00:00
|
|
|
* `docker.cleanup.container` Defaults to `true`. Changing this to `false` will
|
|
|
|
prevent Nomad from removing containers from stopped tasks.
|
|
|
|
|
|
|
|
* `docker.cleanup.image` Defaults to `true`. Changing this to `false` will
|
|
|
|
prevent Nomad from removing images from stopped tasks.
|
|
|
|
|
2015-11-06 00:40:20 +00:00
|
|
|
* `docker.privileged.enabled` Defaults to `false`. Changing this to `true` will
|
|
|
|
allow containers to use "privileged" mode, which gives the containers full access
|
2015-11-06 18:38:54 +00:00
|
|
|
to the host.
|
2015-11-06 00:40:20 +00:00
|
|
|
|
|
|
|
|
2015-10-08 07:08:54 +00:00
|
|
|
Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`,
|
|
|
|
`DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. In
|
|
|
|
production Nomad will always read `docker.endpoint`.
|
|
|
|
|
2015-09-25 02:33:06 +00:00
|
|
|
## Client Attributes
|
|
|
|
|
2015-09-25 06:40:30 +00:00
|
|
|
The `docker` driver will set the following client attributes:
|
2015-09-25 02:33:06 +00:00
|
|
|
|
2015-10-12 20:40:31 +00:00
|
|
|
* `driver.docker` - This will be set to "1", indicating the
|
2015-09-25 02:33:06 +00:00
|
|
|
driver is available.
|
2015-10-11 19:53:34 +00:00
|
|
|
* `driver.docker.version` - This will be set to version of the
|
|
|
|
docker server
|
2015-09-25 02:33:06 +00:00
|
|
|
|
|
|
|
## Resource Isolation
|
|
|
|
|
|
|
|
### CPU
|
|
|
|
|
|
|
|
Nomad limits containers' CPU based on CPU shares. CPU shares allow containers to
|
|
|
|
burst past their CPU limits. CPU limits will only be imposed when there is
|
|
|
|
contention for resources. When the host is under load your process may be
|
2015-10-17 20:55:55 +00:00
|
|
|
throttled to stabilize QOS depending on how many shares it has. You can see how
|
2015-09-25 02:33:06 +00:00
|
|
|
many CPU shares are available to your process by reading `NOMAD_CPU_LIMIT`. 1000
|
|
|
|
shares are approximately equal to 1Ghz.
|
|
|
|
|
|
|
|
Please keep the implications of CPU shares in mind when you load test workloads
|
|
|
|
on Nomad.
|
|
|
|
|
|
|
|
### Memory
|
|
|
|
|
|
|
|
Nomad limits containers' memory usage based on total virtual memory. This means
|
|
|
|
that containers scheduled by Nomad cannot use swap. This is to ensure that a
|
|
|
|
swappy process does not degrade performance for other workloads on the same host.
|
|
|
|
|
|
|
|
Since memory is not an elastic resource, you will need to make sure your
|
|
|
|
container does not exceed the amount of memory allocated to it, or it will be
|
|
|
|
terminated or crash when it tries to malloc. A process can inspect its memory
|
|
|
|
limit by reading `NOMAD_MEMORY_LIMIT`, but will need to track its own memory
|
|
|
|
usage. Memory limit is expressed in megabytes so 1024 = 1Gb.
|
|
|
|
|
|
|
|
### IO
|
|
|
|
|
|
|
|
Nomad's Docker integration does not currently provide QOS around network or
|
|
|
|
filesystem IO. These will be added in a later release.
|
|
|
|
|
|
|
|
### Security
|
|
|
|
|
|
|
|
Docker provides resource isolation by way of
|
|
|
|
[cgroups and namespaces](https://docs.docker.com/introduction/understanding-docker/#the-underlying-technology).
|
2015-09-25 06:40:30 +00:00
|
|
|
Containers essentially have a virtual file system all to themselves. If you need
|
2015-09-25 02:33:06 +00:00
|
|
|
a higher degree of isolation between processes for security or other reasons, it
|
2015-09-29 21:00:48 +00:00
|
|
|
is recommended to use full virtualization like [QEMU](/docs/drivers/qemu.html).
|