open-nomad/website/content/docs/drivers/java.mdx

254 lines
8.4 KiB
Plaintext
Raw Normal View History

2015-09-20 22:31:33 +00:00
---
2020-02-06 23:45:31 +00:00
layout: docs
page_title: 'Drivers: Java'
description: The Java task driver is used to run Jars using the JVM.
2015-09-20 22:31:33 +00:00
---
# Java Driver
Name: `java`
The `java` driver is used to execute Java applications packaged into a Java Jar
2016-03-16 16:56:04 +00:00
file. The driver requires the Jar file to be accessible from the Nomad
2020-02-06 23:45:31 +00:00
client via the [`artifact` downloader](/docs/job-specification/artifact).
2015-09-21 19:20:51 +00:00
## Task Configuration
```hcl
task "webservice" {
driver = "java"
config {
2017-04-13 06:35:37 +00:00
jar_path = "local/example.jar"
jvm_options = ["-Xmx2048m", "-Xms256m"]
}
2020-02-06 23:45:31 +00:00
}
```
2015-09-21 19:20:51 +00:00
The `java` driver supports the following configuration in the job spec:
2020-02-06 23:45:31 +00:00
- `class` - (Optional) The name of the class to run. If `jar_path` is specified
and the manifest specifies a main class, this is optional. If shipping classes
rather than a Jar, please specify the class to run and the `class_path`.
2020-02-06 23:45:31 +00:00
- `class_path` - (Optional) The `class_path` specifies the class path used by
Java to lookup classes and Jars.
2020-02-06 23:45:31 +00:00
- `jar_path` - (Optional) The path to the downloaded Jar. In most cases this will just be
2016-03-16 16:56:04 +00:00
the name of the Jar. However, if the supplied artifact is an archive that
contains the Jar in a subfolder, the path will need to be the relative path
(`subdir/from_archive/my.jar`).
2015-10-16 19:43:06 +00:00
2020-02-06 23:45:31 +00:00
- `args` - (Optional) A list of arguments to the Jar's main method. References
to environment variables or any [interpretable Nomad
2020-02-06 23:45:31 +00:00
variables](/docs/runtime/interpolation) will be interpreted before
launching the task.
2020-02-06 23:45:31 +00:00
- `jvm_options` - (Optional) A list of JVM options to be passed while invoking
2016-08-27 12:56:39 +00:00
java. These options are passed without being validated in any way by Nomad.
2015-09-21 19:20:51 +00:00
- `pid_mode` - (Optional) Set to `"private"` to enable PID namespace isolation for
this task, or `"host"` to disable isolation. If left unset, the behavior is
determined from the [`default_pid_mode`][default_pid_mode] in plugin configuration.
!> **Warning:** If set to `"host"`, other processes running as the same user will
be able to access sensitive process information like environment variables.
- `ipc_mode` - (Optional) Set to `"private"` to enable IPC namespace isolation for
this task, or `"host"` to disable isolation. If left unset, the behavior is
determined from the [`default_ipc_mode`][default_ipc_mode] in plugin configuration.
!> **Warning:** If set to `"host"`, other processes running as the same user will be
able to make use of IPC features, like sending unexpected POSIX signals.
- `cap_add` - (Optional) A list of Linux capabilities to enable for the task.
Effective capabilities (computed from `cap_add` and `cap_drop`) must be a subset
of the allowed capabilities configured with [`allow_caps`][allow_caps].
```hcl
config {
cap_add = ["net_raw", "sys_time"]
}
```
- `cap_drop` - (Optional) A list of Linux capabilities to disable for the task.
Effective capabilities (computed from `cap_add` and `cap_drop`) must be a subset
of the allowed capabilities configured with [`allow_caps`][allow_caps].
```hcl
config {
cap_drop = ["all"]
cap_add = ["chown", "sys_chroot", "mknod"]
}
```
2015-11-03 21:16:17 +00:00
## Examples
A simple config block to run a Java Jar:
```hcl
2015-11-03 21:16:17 +00:00
task "web" {
driver = "java"
config {
jar_path = "local/hello.jar"
jvm_options = ["-Xmx2048m", "-Xms256m"]
2015-11-03 21:16:17 +00:00
}
2016-03-16 16:56:04 +00:00
# Specifying an artifact is required with the "java" driver. This is the
# mechanism to ship the Jar to be run.
2016-03-16 16:56:04 +00:00
artifact {
source = "https://internal.file.server/hello.jar"
2016-03-16 16:56:04 +00:00
options {
checksum = "md5:123445555555555"
}
}
}
2015-11-03 21:16:17 +00:00
```
A simple config block to run a Java class:
```hcl
task "web" {
driver = "java"
config {
class = "Hello"
class_path = "${NOMAD_TASK_DIR}"
jvm_options = ["-Xmx2048m", "-Xms256m"]
}
# Specifying an artifact is required with the "java" driver. This is the
# mechanism to ship the Jar to be run.
artifact {
source = "https://internal.file.server/Hello.class"
options {
checksum = "md5:123445555555555"
}
}
}
```
## Capabilities
The `java` driver implements the following [capabilities](/docs/internals/plugins/task-drivers#capabilities-capabilities-error).
2020-09-30 13:48:40 +00:00
| Feature | Implementation |
| -------------------- | ----------------------------- |
| `nomad alloc signal` | false |
| `nomad alloc exec` | false |
| filesystem isolation | none, chroot (only for linux) |
2020-09-30 13:48:40 +00:00
| network isolation | host, group |
| volume mounting | none, all (only for linux) |
## Plugin Options
- `default_pid_mode` `(string: optional)` - Defaults to `"private"`. Set to
`"private"` to enable PID namespace isolation for tasks by default, or `"host"` to
disable isolation.
!> **Warning:** If set to `"host"`, other processes running as the same user will
be able to access sensitive process information like environment variables.
- `default_ipc_mode` `(string: optional)` - Defaults to `"private"`. Set to
`"private"` to enable IPC namespace isolation for tasks by default,
or `"host"` to disable isolation.
!> **Warning:** If set to `"host"`, other processes running as the same user will be
able to make use of IPC features, like sending unexpected POSIX signals.
- `allow_caps` - A list of allowed Linux capabilities. Defaults to
```hcl
["audit_write", "chown", "dac_override", "fowner", "fsetid", "kill", "mknod",
"net_bind_service", "setfcap", "setgid", "setpcap", "setuid", "sys_chroot"]
```
which is modeled after the capabilities allowed by [docker by default][docker_caps]
2021-05-17 18:52:52 +00:00
(without [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities
can be obtained by tasks using [`cap_add`][cap_add] and [`cap_drop`][cap_drop] options.
Supports the value `"all"` as a shortcut for allow-listing all capabilities supported
by the operating system.
!> **Warning:** Allowing more capabilities beyond the default may lead to
undesirable consequences, including untrusted tasks being able to compromise the
host system.
2016-03-16 16:56:04 +00:00
## Client Requirements
The `java` driver requires Java to be installed and in your system's `$PATH`. On
Linux, Nomad must run as root since it will use `chroot` and `cgroups` which
require root privileges. The task must also specify at least one artifact to
download, as this is the only way to retrieve the Jar being run.
2016-03-16 16:56:04 +00:00
2015-09-21 19:20:51 +00:00
## Client Attributes
The `java` driver will set the following client attributes:
2020-02-06 23:45:31 +00:00
- `driver.java` - Set to `1` if Java is found on the host node. Nomad determines
this by executing `java -version` on the host and parsing the output
- `driver.java.version` - Version of Java, ex: `1.6.0_65`
- `driver.java.runtime` - Runtime version, ex: `Java(TM) SE Runtime Environment (build 1.6.0_65-b14-466.1-11M4716)`
- `driver.java.vm` - Virtual Machine information, ex: `Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-466.1, mixed mode)`
2015-09-21 19:20:51 +00:00
Here is an example of using these properties in a job file:
```hcl
job "docs" {
# Only run this job where the JVM is higher than version 1.6.0.
constraint {
attribute = "${driver.java.version}"
operator = ">"
value = "1.6.0"
}
}
```
2015-09-21 19:20:51 +00:00
## Resource Isolation
The resource isolation provided varies by the operating system of
the client and the configuration.
On Linux, Nomad will attempt to use cgroups, namespaces, and chroot
to isolate the resources of a process. If the Nomad agent is not
2016-08-27 12:56:39 +00:00
running as root, many of these mechanisms cannot be used.
2015-09-21 19:20:51 +00:00
2015-10-25 17:00:08 +00:00
As a baseline, the Java jars will be run inside a Java Virtual Machine,
2015-09-23 16:44:17 +00:00
providing a minimum amount of isolation.
### Chroot
The chroot created on Linux is populated with data in the following
directories from the host machine:
```
[
"/bin",
"/etc",
"/lib",
"/lib32",
"/lib64",
"/run/resolvconf",
"/sbin",
"/usr",
]
```
The task's chroot is populated by linking or copying the data from the host into
the chroot. Note that this can take considerable disk space. Since Nomad v0.5.3,
the client manages garbage collection locally which mitigates any issue this may
create.
This list is configurable through the agent client
[configuration file](/docs/configuration/client#chroot_env).
[default_pid_mode]: /docs/drivers/java#default_pid_mode
[default_ipc_mode]: /docs/drivers/java#default_ipc_mode
[cap_add]: /docs/drivers/java#cap_add
[cap_drop]: /docs/drivers/java#cap_drop
[no_net_raw]: /docs/upgrade/upgrade-specific#nomad-1-1-0-rc1-1-0-5-0-12-12
[allow_caps]: /docs/drivers/java#allow_caps
[docker_caps]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities