2015-09-20 22:31:33 +00:00
---
2020-02-06 23:45:31 +00:00
layout: docs
page_title: 'Drivers: Docker'
description: The Docker task driver is used to run Docker based tasks.
2015-09-20 22:31:33 +00:00
---
# Docker Driver
2015-09-25 02:35:52 +00:00
Name: `docker`
2015-09-20 22:31:33 +00:00
2015-09-25 02:35:52 +00:00
The `docker` driver provides a first-class Docker workflow on Nomad. The Docker
2015-09-25 02:33:06 +00:00
driver handles downloading containers, mapping ports, and starting, watching,
2015-09-29 21:00:48 +00:00
and cleaning up after containers.
2015-09-20 22:31:33 +00:00
2021-04-29 23:53:12 +00:00
-> **Note:** If you are using Docker Desktop for Windows or MacOS, please check
[our FAQ][faq-win-mac].
2015-09-25 02:33:06 +00:00
## Task Configuration
2016-10-03 21:35:20 +00:00
```hcl
2015-11-19 00:30:37 +00:00
task "webservice" {
2016-10-03 21:35:20 +00:00
driver = "docker"
config {
image = "redis:3.2"
labels {
group = "webservice-cache"
2015-11-19 00:30:37 +00:00
}
2016-10-03 21:35:20 +00:00
}
2016-10-28 00:36:26 +00:00
}
2015-11-19 00:30:37 +00:00
```
2020-02-06 23:45:31 +00:00
The `docker` driver supports the following configuration in the job spec. Only
2017-05-20 00:04:28 +00:00
`image` is required.
2015-09-25 02:33:06 +00:00
2020-02-06 23:45:31 +00:00
- `image` - The Docker image to run. The image may include a tag or custom URL
2016-10-03 21:35:20 +00:00
and should include `https://` if required. By default it will be fetched from
2017-02-28 23:25:57 +00:00
Docker Hub. If the tag is omitted or equal to `latest` the driver will always
try to pull the image. If the image to be pulled exists in a registry that
requires authentication credentials must be provided to Nomad. Please see the
2017-02-27 19:02:01 +00:00
[Authentication section](#authentication).
2016-10-03 21:35:20 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
image = "https://hub.docker.internal/redis:3.2"
}
```
2015-09-25 02:33:06 +00:00
2020-08-14 08:40:24 +00:00
- `image_pull_timeout` - (Optional) A time duration that controls how long Nomad
will wait before cancelling an in-progress pull of the Docker image as specified
in `image`. Defaults to `"5m"`.
2020-02-06 23:45:31 +00:00
- `args` - (Optional) A list of arguments to the optional `command`. If no
2017-07-17 18:41:50 +00:00
`command` is specified, the arguments are passed directly to the container.
2016-09-28 02:12:56 +00:00
References to environment variables or any [interpretable Nomad
2020-02-06 23:45:31 +00:00
variables](/docs/runtime/interpolation) will be interpreted before
2016-09-28 02:12:56 +00:00
launching the task. For example:
2020-02-06 23:45:31 +00:00
```hcl
config {
args = [
"-bind", "${NOMAD_PORT_http}",
"${nomad.datacenter}",
"${MY_ENV}",
"${meta.foo}",
]
}
```
2015-10-16 00:28:25 +00:00
2020-02-06 23:45:31 +00:00
- `auth` - (Optional) Provide authentication for a private registry (see below).
2017-05-20 00:04:28 +00:00
2020-02-06 23:45:31 +00:00
- `auth_soft_fail` `(bool: false)` - Don't fail the task on an auth failure.
2020-12-01 14:05:35 +00:00
Attempt to continue without auth. If the Nomad client configuration has an
[`auth.helper`](#plugin_auth_helper) stanza, the helper will be tried for
all images, including public images. If you mix private and public images,
you will need to include `auth_soft_fail=true` in every job using a public
image.
2017-07-06 18:35:34 +00:00
2020-02-06 23:45:31 +00:00
- `command` - (Optional) The command to run when starting the container.
2015-11-19 00:30:37 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
command = "my-command"
}
```
2020-12-03 00:02:03 +00:00
- `cpuset_cpus` <sup>Beta</sup> - (Optional) CPUs in which to allow execution
(0-3, 0,1). Limit the specific CPUs or cores a container can use. A
comma-separated list or hyphen-separated range of CPUs a container can use, if
you have more than one CPU. The first CPU is numbered 0. A valid value might
be 0-3 (to use the first, second, third, and fourth CPU) or 1,3 (to use the
second and fourth CPU).
2020-06-25 16:30:16 +00:00
2020-06-26 18:14:53 +00:00
Note: `cpuset_cpus` pins the workload to the CPUs but doesn't give the workload
exclusive access to those CPUs.
2020-06-25 16:30:16 +00:00
2020-12-03 00:02:03 +00:00
```hcl
config {
cpuset_cpus = "0-3"
}
```
2018-07-02 18:14:41 +00:00
2020-02-06 23:45:31 +00:00
- `dns_search_domains` - (Optional) A list of DNS search domains for the container
2017-05-20 00:04:28 +00:00
to use.
2020-02-06 23:45:31 +00:00
- `dns_options` - (Optional) A list of DNS options for the container to use.
2017-08-09 11:30:06 +00:00
2020-02-06 23:45:31 +00:00
- `dns_servers` - (Optional) A list of DNS servers for the container to use
2017-07-06 19:46:25 +00:00
(e.g. ["8.8.8.8", "8.8.4.4"]). Requires Docker v1.10 or greater.
2017-05-20 00:04:28 +00:00
2020-02-06 23:45:31 +00:00
- `entrypoint` - (Optional) A string list overriding the image's entrypoint.
2018-01-23 22:05:00 +00:00
2020-02-06 23:45:31 +00:00
- `extra_hosts` - (Optional) A list of hosts, given as host:IP, to be added to
2017-05-20 00:04:28 +00:00
`/etc/hosts`.
2020-02-06 23:45:31 +00:00
- `force_pull` - (Optional) `true` or `false` (default). Always pull most recent image
2017-05-20 00:04:28 +00:00
instead of using existing local image. Should be set to `true` if repository tags
2020-02-06 23:45:31 +00:00
are mutable. If image's tag is `latest` or omitted, the image will always be pulled
2019-04-02 12:48:34 +00:00
regardless of this setting.
2017-05-20 00:04:28 +00:00
2020-02-06 23:45:31 +00:00
- `hostname` - (Optional) The hostname to assign to the container. When
2017-05-20 00:04:28 +00:00
launching more than one of a task (using `count`) with this option set, every
container the task starts will have the same hostname.
2020-02-06 23:45:31 +00:00
- `interactive` - (Optional) `true` or `false` (default). Keep STDIN open on
2017-05-20 00:04:28 +00:00
the container.
2015-11-19 00:30:37 +00:00
2020-02-06 23:45:31 +00:00
- `sysctl` - (Optional) A key-value map of sysctl configurations to set to the
containers on start.
2017-03-29 16:52:34 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
2020-12-14 22:07:09 +00:00
sysctl = {
"net.core.somaxconn" = "16384"
2017-03-29 16:52:34 +00:00
}
2020-02-06 23:45:31 +00:00
}
```
2017-03-29 16:52:34 +00:00
2020-02-06 23:45:31 +00:00
- `ulimit` - (Optional) A key-value map of ulimit configurations to set to the
2017-03-29 16:52:34 +00:00
containers on start.
2020-02-06 23:45:31 +00:00
```hcl
config {
ulimit {
nproc = "4242"
nofile = "2048:4096"
2017-03-29 16:52:34 +00:00
}
2020-02-06 23:45:31 +00:00
}
```
2017-03-29 16:52:34 +00:00
2020-02-06 23:45:31 +00:00
- `privileged` - (Optional) `true` or `false` (default). Privileged mode gives
2017-03-29 16:52:34 +00:00
the container access to devices on the host. Note that this also requires the
nomad agent and docker daemon to be configured to allow privileged
containers.
2020-02-06 23:45:31 +00:00
- `ipc_mode` - (Optional) The IPC mode to be used for the container. The default
2016-01-10 21:19:33 +00:00
is `none` for a private IPC namespace. Other values are `host` for sharing
the host IPC namespace or the name or id of an existing container. Note that
2016-10-11 19:52:50 +00:00
it is not possible to refer to Docker containers started by Nomad since their
2016-01-10 21:19:33 +00:00
names are not known in advance. Note that setting this option also requires the
Nomad agent to be configured to allow privileged containers.
2020-02-06 23:45:31 +00:00
- `ipv4_address` - (Optional) The IPv4 address to be used for the container when
2017-07-06 19:46:25 +00:00
using user defined networks. Requires Docker 1.13 or greater.
2016-01-10 21:19:33 +00:00
2020-02-06 23:45:31 +00:00
- `ipv6_address` - (Optional) The IPv6 address to be used for the container when
2017-07-06 19:46:25 +00:00
using user defined networks. Requires Docker 1.13 or greater.
2016-01-08 22:34:49 +00:00
2020-02-06 23:45:31 +00:00
- `labels` - (Optional) A key-value map of labels to set to the containers on
2017-05-20 00:04:28 +00:00
start.
2016-11-04 23:53:56 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
labels {
foo = "bar"
zip = "zap"
2017-05-20 00:04:28 +00:00
}
2020-02-06 23:45:31 +00:00
}
```
2017-05-20 00:04:28 +00:00
2020-02-06 23:45:31 +00:00
- `load` - (Optional) Load an image from a `tar` archive file instead of from a
2017-09-29 18:29:11 +00:00
remote repository. Equivalent to the `docker load -i <filename>` command.
2017-05-20 00:04:28 +00:00
2020-02-06 23:45:31 +00:00
```hcl
artifact {
source = "http://path.to/redis.tar"
}
config {
load = "redis.tar"
image = "redis"
}
```
- `logging` - (Optional) A key-value map of Docker logging options.
Defaults to `json-file` with log rotation (`max-file=2` and `max-size=2m`).
```hcl
config {
logging {
type = "fluentd"
config {
fluentd-address = "localhost:24224"
tag = "your_tag"
2017-05-20 00:04:28 +00:00
}
}
2020-02-06 23:45:31 +00:00
}
```
2015-10-01 02:15:24 +00:00
2020-02-06 23:45:31 +00:00
- `mac_address` - (Optional) The MAC address for the container to use (e.g.
2017-07-06 19:46:25 +00:00
"02:68:b3:29:da:98").
2020-06-01 14:19:37 +00:00
- `memory_hard_limit` - (Optional) The maximum allowable amount of memory used
2020-06-01 15:52:36 +00:00
(megabytes) by the container. If set, the [`memory`](/docs/job-specification/resources#memory)
2020-06-01 14:19:37 +00:00
parameter of the task resource configuration becomes a soft limit passed to the
docker driver as [`--memory_reservation`](https://docs.docker.com/config/containers/resource_constraints/#limit-a-containers-access-to-memory),
and `memory_hard_limit` is passed as the [`--memory`](https://docs.docker.com/config/containers/resource_constraints/#limit-a-containers-access-to-memory)
2020-06-01 16:16:11 +00:00
hard limit. When the host is under memory pressure, the behavior of soft limit
activation is governed by the [Kernel](https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt).
2020-06-01 14:19:37 +00:00
2020-02-06 23:45:31 +00:00
- `network_aliases` - (Optional) A list of network-scoped aliases, provide a way for a
2016-11-11 16:38:16 +00:00
container to be discovered by an alternate name by any other container within
the scope of a particular network. Network-scoped alias is supported only for
containers in user defined networks
2020-02-06 23:45:31 +00:00
```hcl
config {
network_mode = "user-network"
network_aliases = [
"${NOMAD_TASK_NAME}",
"${NOMAD_TASK_NAME}-${NOMAD_ALLOC_INDEX}"
]
}
```
2016-11-11 16:38:16 +00:00
2020-02-06 23:45:31 +00:00
- `network_mode` - (Optional) The network mode to be used for the container. In
2017-05-20 00:04:28 +00:00
order to support userspace networking plugins in Docker 1.9 this accepts any
value. The default is `bridge` for all operating systems but Windows, which
defaults to `nat`. Other networking modes may not work without additional
2020-02-06 23:45:31 +00:00
configuration on the host (which is outside the scope of Nomad). Valid values
2017-05-20 00:04:28 +00:00
pre-docker 1.9 are `default`, `bridge`, `host`, `none`, or `container:name`.
2017-04-07 13:58:17 +00:00
2021-06-16 18:55:22 +00:00
The default `network_mode` for tasks that use group networking in [`bridge`]
mode will be `container:<name>`, where the name is the container name of the
parent container used to share network namespaces between tasks. If you set
the group `network.mode = "bridge"` you should not set the Docker config
`network_mode`, or the container will be unable to reach other containers in
the task group. This will also prevent [Connect]-enabled tasks from reaching
the Envoy sidecar proxy.
2021-06-08 12:59:27 +00:00
2020-02-06 23:45:31 +00:00
- `pid_mode` - (Optional) `host` or not set (default). Set to `host` to share
2017-05-20 00:04:28 +00:00
the PID namespace with the host. Note that this also requires the Nomad agent
to be configured to allow privileged containers.
See below for more details.
2017-04-07 13:58:17 +00:00
2020-08-11 22:30:22 +00:00
- `ports` - (Optional) A list of port labels to map into the container (see below).
2020-09-30 13:48:40 +00:00
- `port_map` - (Optional) _Deprecated_ A key-value map of port labels (see below).
2015-11-19 01:49:20 +00:00
2020-02-06 23:45:31 +00:00
- `security_opt` - (Optional) A list of string flags to pass directly to
2017-05-20 00:04:28 +00:00
[`--security-opt`](https://docs.docker.com/engine/reference/run/#security-configuration).
For example:
2017-04-11 17:52:24 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
security_opt = [
"credentialspec=file://gmsaUser.json",
]
}
```
2017-01-12 22:07:36 +00:00
2020-02-06 23:45:31 +00:00
- `shm_size` - (Optional) The size (bytes) of /dev/shm for the container.
2017-04-11 17:52:24 +00:00
2020-02-06 23:45:31 +00:00
- `storage_opt` - (Optional) A key-value map of storage options set to the containers on start.
2018-11-20 14:38:09 +00:00
This overrides the [host dockerd configuration](https://docs.docker.com/engine/reference/commandline/dockerd/#options-per-storage-driver).
For example:
2020-02-06 23:45:31 +00:00
```hcl
config {
storage_opt = {
size = "40G"
2018-11-20 14:38:09 +00:00
}
2020-02-06 23:45:31 +00:00
}
```
2018-11-20 14:38:09 +00:00
2020-02-06 23:45:31 +00:00
- `SSL` - (Optional) If this is set to true, Nomad uses SSL to talk to the
2017-01-12 22:07:36 +00:00
repository. The default value is `true`. **Deprecated as of 0.5.3**
2015-11-19 00:30:37 +00:00
2020-02-06 23:45:31 +00:00
- `tty` - (Optional) `true` or `false` (default). Allocate a pseudo-TTY for the
2016-04-08 17:51:07 +00:00
container.
2020-02-06 23:45:31 +00:00
- `uts_mode` - (Optional) `host` or not set (default). Set to `host` to share
2017-05-20 00:04:28 +00:00
the UTS namespace with the host. Note that this also requires the Nomad agent
to be configured to allow privileged containers.
2016-10-07 19:28:42 +00:00
2020-02-06 23:45:31 +00:00
- `userns_mode` - (Optional) `host` or not set (default). Set to `host` to use
2021-01-07 21:47:54 +00:00
the host's user namespace (effectively disabling user namespacing) when user
namespace remapping is enabled on the docker daemon. This field has no
effect if the docker daemon does not have user namespace remapping enabled.
2016-10-07 19:28:42 +00:00
2020-02-06 23:45:31 +00:00
- `volumes` - (Optional) A list of `host_path:container_path` strings to bind
2020-10-16 14:19:12 +00:00
host paths to container paths. Mounting host paths outside of the [allocation
working directory] is prevented by default and limits volumes to directories
that exist inside the allocation working directory. You can allow mounting
host paths outside of the [allocation working directory] on individual clients
by setting the `docker.volumes.enabled` option to `true` in the client's
configuration. We recommend using [`mounts`](#mounts) if you wish to have more
control over volume definitions.
2016-09-27 20:13:55 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
volumes = [
# Use absolute paths to mount arbitrary paths on the host
"/path/on/host:/path/in/container",
2016-10-21 17:34:01 +00:00
2020-02-06 23:45:31 +00:00
# Use relative paths to rebind paths already in the allocation dir
"relative/to/task:/also/in/container"
]
}
```
2017-02-27 19:02:01 +00:00
2020-02-06 23:45:31 +00:00
- `volume_driver` - (Optional) The name of the volume driver used to mount
2019-04-17 09:31:55 +00:00
volumes. Must be used along with `volumes`. If `volume_driver` is omitted,
then relative paths will be mounted from inside the allocation dir. If a
`"local"` or other driver is used, then they may be named volumes instead.
If `docker.volumes.enabled` is false then volume drivers and paths outside the
allocation directory are disallowed.
2017-02-23 17:36:32 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
volumes = [
# Use named volume created outside nomad.
"name-of-the-volume:/path/in/container"
]
# Name of the Docker Volume Driver used by the container
volume_driver = "pxd"
}
```
2016-10-07 23:23:55 +00:00
2020-02-06 23:45:31 +00:00
- `work_dir` - (Optional) The working directory inside the container.
2017-08-22 21:12:44 +00:00
2021-03-31 13:43:17 +00:00
- `mount` - _Since 1.0.1_ (Optional) Specify a
document the new /dev/disk1s5 on / (apfs, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk1s1 on /System/Volumes/Data (apfs, local, journaled, nobrowse)
/dev/disk1s4 on /private/var/vm (apfs, local, journaled, nobrowse)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)
/dev/disk2s1 on /Volumes/nRF Connect 3.6.1 (hfs, local, nodev, nosuid, read-only, noowners, quarantine, mounted by notnoop) syntax
2020-12-16 22:25:02 +00:00
[mount](https://docs.docker.com/engine/reference/commandline/service_create/#add-bind-mounts-volumes-or-memory-filesystems)
to be mounted into the container. Volume, bind, and tmpfs type mounts are supported. May be specified multiple times.
```hcl
config {
# sample volume mount
mount {
type = "volume"
target = "/path/in/container"
source = "name-of-volume"
readonly = false
volume_options {
no_copy = false
labels {
foo = "bar"
}
driver_config {
name = "pxd"
options {
foo = "bar"
}
}
}
}
# sample bind mount
mount {
type = "bind"
target = "/path/in/container"
source = "/path/in/host"
readonly = false
bind_options {
propagation = "rshared"
}
}
# sample tmpfs mount
mount {
type = "tmpfs"
target = "/path/in/container"
readonly = false
tmpfs_options {
size = 100000 # size in bytes
}
}
}
```
2021-03-31 13:43:17 +00:00
- `mounts` - (_deprecated_: Replaced by `mount` in 1.0.1) (Optional) A list of
2020-10-12 12:17:07 +00:00
[mounts](https://docs.docker.com/engine/reference/commandline/service_create/#add-bind-mounts-volumes-or-memory-filesystems)
2018-11-27 12:19:40 +00:00
to be mounted into the container. Volume, bind, and tmpfs type mounts are supported.
2017-08-21 19:32:44 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
mounts = [
# sample volume mount
{
type = "volume"
target = "/path/in/container"
source = "name-of-volume"
readonly = false
2020-12-14 22:07:09 +00:00
volume_options = {
2020-02-06 23:45:31 +00:00
no_copy = false
2020-12-14 22:07:09 +00:00
labels = {
2020-02-06 23:45:31 +00:00
foo = "bar"
}
2020-12-14 22:07:09 +00:00
driver_config = {
2020-02-06 23:45:31 +00:00
name = "pxd"
options = {
2017-08-21 19:32:44 +00:00
foo = "bar"
}
2018-11-27 12:19:40 +00:00
}
2017-08-21 19:32:44 +00:00
}
2020-02-06 23:45:31 +00:00
},
# sample bind mount
{
type = "bind"
target = "/path/in/container"
source = "/path/in/host"
readonly = false
2020-12-14 22:07:09 +00:00
bind_options = {
2020-02-06 23:45:31 +00:00
propagation = "rshared"
}
},
# sample tmpfs mount
{
type = "tmpfs"
target = "/path/in/container"
readonly = false
2020-12-14 22:07:09 +00:00
tmpfs_options = {
2020-02-06 23:45:31 +00:00
size = 100000 # size in bytes
}
}
]
}
```
- `devices` - (Optional) A list of
2017-11-06 18:27:13 +00:00
[devices](https://docs.docker.com/engine/reference/commandline/run/#add-host-device-to-container-device)
to be exposed the container. `host_path` is the only required field. By default, the container will be able to
`read`, `write` and `mknod` these devices. Use the optional `cgroup_permissions` field to restrict permissions.
2016-08-03 14:18:15 +00:00
2020-02-06 23:45:31 +00:00
```hcl
config {
devices = [
{
host_path = "/dev/sda1"
container_path = "/dev/xvdc"
cgroup_permissions = "r"
},
{
host_path = "/dev/sda2"
container_path = "/dev/xvdd"
}
]
}
```
2017-12-12 22:11:15 +00:00
2020-02-06 23:45:31 +00:00
- `cap_add` - (Optional) A list of Linux capabilities as strings to pass directly to
2018-01-14 18:56:57 +00:00
[`--cap-add`](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
2020-10-13 12:02:29 +00:00
Effective capabilities (computed from `cap_add` and `cap_drop`) have to match the configured allowlist.
2021-05-15 23:19:23 +00:00
The allowlist can be customized using the [`allow_caps`][allow_caps] plugin option key in the client node's configuration.
2018-01-14 18:56:57 +00:00
For example:
2021-05-15 23:19:23 +00:00
```hcl
config {
cap_add = ["net_raw", sys_time"]
}
```
2018-01-14 18:56:57 +00:00
2020-02-06 23:45:31 +00:00
- `cap_drop` - (Optional) A list of Linux capabilities as strings to pass directly to
2018-01-14 18:56:57 +00:00
[`--cap-drop`](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
2020-10-13 12:02:29 +00:00
Effective capabilities (computed from `cap_add` and `cap_drop`) have to match the configured allowlist.
2021-05-15 23:19:23 +00:00
The allowlist can be customized using the [`allow_caps`][allow_caps] plugin option key in the client node's configuration.
2018-01-14 18:56:57 +00:00
For example:
2021-05-15 23:19:23 +00:00
```hcl
config {
cap_drop = ["mknod"]
}
```
2018-01-14 18:56:57 +00:00
2020-02-06 23:45:31 +00:00
- `cpu_hard_limit` - (Optional) `true` or `false` (default). Use hard CPU
2018-02-09 04:20:26 +00:00
limiting instead of soft limiting. By default this is `false` which means
soft limiting is used and containers are able to burst above their CPU limit
when there is idle capacity.
2020-02-06 23:45:31 +00:00
- `cpu_cfs_period` - (Optional) An integer value that specifies the duration in microseconds of the period
2018-07-11 07:12:21 +00:00
during which the CPU usage quota is measured. The default is 100000 (0.1 second) and the maximum allowed
value is 1000000 (1 second). See [here](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/sec-cpu#sect-cfs)
for more details.
2018-07-02 18:14:41 +00:00
2020-02-06 23:45:31 +00:00
- `advertise_ipv6_address` - (Optional) `true` or `false` (default). Use the container's
IPv6 address (GlobalIPv6Address in Docker) when registering services and checks.
2020-08-11 10:41:50 +00:00
See [IPv6 Docker containers](/docs/job-specification/service#ipv6-docker-containers) for details.
2018-01-14 18:56:57 +00:00
2020-02-06 23:45:31 +00:00
- `readonly_rootfs` - (Optional) `true` or `false` (default). Mount
2018-01-27 13:38:29 +00:00
the container's filesystem as read only.
2020-04-03 18:40:58 +00:00
- `runtime` - (Optional) A string representing a configured runtime to pass to docker.
2020-05-12 14:56:47 +00:00
This is equivalent to the `--runtime` argument in the docker CLI
2020-05-12 15:07:12 +00:00
For example, to use gVisor:
2020-04-01 18:44:29 +00:00
```hcl
config {
2020-05-12 15:07:12 +00:00
# gVisor runtime is runsc
runtime = "runsc"
2020-04-01 18:44:29 +00:00
}
```
2020-02-06 23:45:31 +00:00
- `pids_limit` - (Optional) An integer value that specifies the pid limit for
2018-05-30 19:58:03 +00:00
the container. Defaults to unlimited.
2020-02-06 23:45:31 +00:00
Additionally, the docker driver supports customization of the container's user through the task's [`user` option](/docs/job-specification/task#user).
2019-10-24 18:00:37 +00:00
2015-11-19 00:39:02 +00:00
### Container Name
2015-11-19 00:45:39 +00:00
Nomad creates a container after pulling an image. Containers are named
`{taskName}-{allocId}`. This is necessary in order to place more than one
container from the same task on a host (e.g. with count > 1). This also means
that each container's name is unique across the cluster.
2015-11-19 00:39:02 +00:00
This is not configurable.
2015-11-19 00:30:37 +00:00
### Authentication
2015-11-17 13:14:35 +00:00
2015-11-19 00:45:39 +00:00
If you want to pull from a private repo (for example on dockerhub or quay.io),
2017-05-29 10:44:13 +00:00
you will need to specify credentials in your job via:
2020-02-06 23:45:31 +00:00
- the `auth` option in the task config.
2017-05-29 10:44:13 +00:00
2020-02-06 23:45:31 +00:00
- by storing explicit repository credentials or by specifying Docker
`credHelpers` in a file and setting the auth [config](#plugin_auth_file)
value on the client in the plugin options.
2017-05-29 10:44:13 +00:00
2020-02-06 23:45:31 +00:00
- by specifying an auth [helper](#plugin_auth_helper) on the client in the
plugin options.
2015-11-18 07:32:57 +00:00
2015-11-18 09:37:42 +00:00
The `auth` object supports the following keys:
2020-02-06 23:45:31 +00:00
- `username` - (Optional) The account username.
2015-11-19 00:30:37 +00:00
2020-02-06 23:45:31 +00:00
- `password` - (Optional) The account password.
2015-11-19 00:30:37 +00:00
2020-02-06 23:45:31 +00:00
- `email` - (Optional) The account email.
2015-11-19 00:30:37 +00:00
2020-02-06 23:45:31 +00:00
- `server_address` - (Optional) The server domain/IP without the protocol.
2015-11-19 00:30:37 +00:00
Docker Hub is used by default.
2017-05-29 10:44:13 +00:00
Example task-config:
2015-11-05 18:47:41 +00:00
2016-10-03 21:35:20 +00:00
```hcl
task "example" {
driver = "docker"
2016-03-16 16:56:04 +00:00
2016-10-03 21:35:20 +00:00
config {
image = "secret/service"
2016-03-16 16:56:04 +00:00
2016-10-03 21:35:20 +00:00
auth {
username = "dockerhub_user"
password = "dockerhub_password"
2015-11-19 00:30:37 +00:00
}
2016-10-03 21:35:20 +00:00
}
2015-11-19 00:30:37 +00:00
}
```
2015-09-25 02:33:06 +00:00
2020-12-01 14:05:35 +00:00
Example docker-config, using two helper scripts in `$PATH`,
2020-10-02 18:54:14 +00:00
"docker-credential-ecr-login" and "docker-credential-vault":
2017-05-29 10:44:13 +00:00
```json
{
"auths": {
2020-02-06 23:45:31 +00:00
"internal.repo": {
"auth": "`echo -n '<username>:<password>' | base64 -w0`"
}
2017-05-29 10:44:13 +00:00
},
"credHelpers": {
2020-02-06 23:45:31 +00:00
"<XYZ>.dkr.ecr.<region>.amazonaws.com": "ecr-login"
2017-05-29 10:44:13 +00:00
},
"credsStore": "secretservice"
}
```
2020-12-01 14:05:35 +00:00
Example agent configuration, using a helper script
"docker-credential-ecr-login" in `$PATH`
2017-05-29 10:44:13 +00:00
2017-10-11 20:19:40 +00:00
```hcl
client {
enabled = true
2019-01-29 20:53:05 +00:00
}
plugin "docker" {
config {
auth {
2020-05-18 20:53:06 +00:00
# Nomad will prepend "docker-credential-" to the helper value and call
# that script name.
2020-10-02 18:54:14 +00:00
helper = "ecr-login"
2019-01-29 20:53:05 +00:00
}
2017-10-11 20:19:40 +00:00
}
}
```
2020-02-06 23:45:31 +00:00
2016-10-03 21:35:20 +00:00
!> **Be Careful!** At this time these credentials are stored in Nomad in plain
text. Secrets management will be added in a later release.
2015-09-25 02:33:06 +00:00
2015-11-19 00:30:37 +00:00
## Networking
2015-09-25 02:33:06 +00:00
2015-11-19 00:45:39 +00:00
Docker supports a variety of networking configurations, including using host
interfaces, SDNs, etc. Nomad uses `bridged` networking by default, like Docker.
2015-09-25 23:49:26 +00:00
2015-11-19 00:30:37 +00:00
You can specify other networking options, including custom networking plugins
in Docker 1.9. **You may need to perform additional configuration on the host
in order to make these work.** This additional configuration is outside the
scope of Nomad.
2015-09-25 02:33:06 +00:00
2015-11-19 00:30:37 +00:00
### Allocating Ports
2015-09-25 02:33:06 +00:00
2015-11-19 00:45:39 +00:00
You can allocate ports to your task using the port syntax described on the
2020-02-06 23:45:31 +00:00
[networking page](/docs/job-specification/network). Here is a recap:
2015-09-25 02:33:06 +00:00
2016-10-03 21:35:20 +00:00
```hcl
2020-08-11 22:30:22 +00:00
group {
network {
port "http" {}
2020-09-17 13:16:30 +00:00
port "https" {}
2020-08-11 22:30:22 +00:00
}
task "example" {
driver = "docker"
config {
ports = ["http", "https"]
2016-07-20 11:53:57 +00:00
}
2016-10-03 21:35:20 +00:00
}
2015-11-19 00:30:37 +00:00
}
2015-09-25 02:33:06 +00:00
```
2015-11-19 00:30:37 +00:00
### Forwarding and Exposing Ports
2015-11-19 00:45:39 +00:00
A Docker container typically specifies which port a service will listen on by
specifying the `EXPOSE` directive in the `Dockerfile`.
2015-09-25 02:33:06 +00:00
2015-11-19 00:45:39 +00:00
Because dynamic ports will not match the ports exposed in your Dockerfile,
2020-08-11 22:30:22 +00:00
Nomad will automatically expose any ports specified in the `ports` field.
2015-09-25 02:33:06 +00:00
2015-11-19 00:30:37 +00:00
These ports will be identified via environment variables. For example:
2015-09-25 02:33:06 +00:00
2017-06-20 00:17:40 +00:00
```hcl
2020-08-11 22:30:22 +00:00
group {
network {
port "http" {}
}
task "api" {
driver = "docker"
config {
ports = ["http"]
}
}
}
2015-11-19 00:30:37 +00:00
```
2020-08-11 22:30:22 +00:00
If Nomad allocates port `23332` to your api task for `http`, `23332` will be
2015-11-19 00:45:39 +00:00
automatically exposed and forwarded to your container, and the driver will set
an environment variable `NOMAD_PORT_http` with the value `23332` that you can
read inside your container.
2015-11-19 00:30:37 +00:00
2015-11-19 00:45:39 +00:00
This provides an easy way to use the `host` networking option for better
performance.
2015-09-25 02:33:06 +00:00
2015-11-19 00:30:37 +00:00
### Using the Port Map
2015-11-19 00:45:39 +00:00
If you prefer to use the traditional port-mapping method, you can specify the
2020-08-11 22:30:22 +00:00
the `to` field in the port configuration. It looks like this:
2015-09-25 02:33:06 +00:00
2016-10-03 21:35:20 +00:00
```hcl
2020-08-11 22:30:22 +00:00
group "example" {
network {
port "redis" { to = 6379 }
2016-10-03 21:35:20 +00:00
}
2020-08-11 22:30:22 +00:00
task "example" {
driver = "docker"
2016-10-03 21:35:20 +00:00
2020-08-11 22:30:22 +00:00
config {
image = "redis"
ports = ["redis"]
2015-11-19 00:30:37 +00:00
}
2016-10-03 21:35:20 +00:00
}
2015-11-19 00:30:37 +00:00
}
2015-09-25 02:33:06 +00:00
```
2020-08-11 22:30:22 +00:00
If Nomad allocates port `23332` to your allocation, the Docker driver will
2015-11-19 00:45:39 +00:00
automatically setup the port mapping from `23332` on the host to `6379` in your
2020-12-03 00:02:03 +00:00
container, so it will just work.
2015-11-19 00:30:37 +00:00
2015-11-19 00:45:39 +00:00
Note that by default this only works with `bridged` networking mode. It may
also work with custom networking plugins which implement the same API for
expose and port forwarding.
2015-11-19 00:30:37 +00:00
2020-08-11 22:30:22 +00:00
#### Deprecated `port_map` Syntax
Up until Nomad 0.12, ports could be specified in a task's resource stanza and set using the docker
`port_map` field. As more features have been added to the group network resource allocation, task based
network resources are deprecated. With it the `port_map` field is also deprecated and can only be used
with task network resources.
Users should migrate their jobs to define ports in the group network stanza and specified which ports
a task maps with the `ports` field.
2017-06-23 22:32:47 +00:00
### Advertising Container IPs
2017-06-20 00:17:40 +00:00
2020-02-06 23:45:31 +00:00
_New in Nomad 0.6._
2017-06-20 00:17:40 +00:00
When using network plugins like `weave` that assign containers a routable IP
address, that address will automatically be used in any `service`
advertisements for the task. You may override what address is advertised by
using the `address_mode` parameter on a `service`. See
2020-02-06 23:45:31 +00:00
[service](/docs/job-specification/service) for details.
2017-06-20 00:17:40 +00:00
2015-11-19 00:39:02 +00:00
### Networking Protocols
The Docker driver configures ports on both the `tcp` and `udp` protocols.
This is not configurable.
2015-11-19 00:30:37 +00:00
### Other Networking Modes
2015-11-19 00:45:39 +00:00
Some networking modes like `container` or `none` will require coordination
outside of Nomad. First-class support for these options may be improved later
through Nomad plugins or dynamic job configuration.
2015-09-25 02:33:06 +00:00
2020-07-21 18:54:31 +00:00
## Capabilities
2020-07-22 16:14:20 +00:00
The `docker` driver implements the following [capabilities](/docs/internals/plugins/task-drivers#capabilities-capabilities-error).
2020-07-21 18:54:31 +00:00
2020-09-30 13:48:40 +00:00
| Feature | Implementation |
| -------------------- | ----------------- |
| `nomad alloc signal` | true |
| `nomad alloc exec` | true |
| filesystem isolation | image |
| network isolation | host, group, task |
| volume mounting | all |
2020-07-21 18:54:31 +00:00
2016-10-19 00:36:19 +00:00
## Client Requirements
2015-09-25 02:33:06 +00:00
2015-11-18 01:20:28 +00:00
Nomad requires Docker to be installed and running on the host alongside the
2015-11-19 00:30:37 +00:00
Nomad agent. Nomad was developed against Docker `1.8.2` and `1.9`.
2015-09-25 18:29:38 +00:00
2017-07-17 18:41:50 +00:00
By default Nomad communicates with the Docker daemon using the daemon's Unix
2015-11-18 01:20:28 +00:00
socket. Nomad will need to be able to read/write to this socket. If you do not
run Nomad as root, make sure you add the Nomad user to the Docker group so
2015-09-25 02:33:06 +00:00
Nomad can communicate with the Docker daemon.
2020-06-11 10:29:43 +00:00
For example, on Ubuntu you can use the `usermod` command to add the `nomad`
2015-11-18 01:20:28 +00:00
user to the `docker` group so you can run Nomad without root:
2015-09-25 18:29:38 +00:00
2020-05-18 20:53:06 +00:00
```shell-session
2020-06-11 10:29:43 +00:00
$ sudo usermod -G docker -a nomad
2020-02-06 23:45:31 +00:00
```
2015-09-25 18:29:38 +00:00
2015-11-18 01:20:28 +00:00
For the best performance and security features you should use recent versions
of the Linux Kernel and Docker daemon.
2015-09-25 02:33:06 +00:00
2020-12-01 14:05:35 +00:00
If you would like to change any of the options related to the `docker` driver
on a Nomad client, you can modify them with the [plugin stanza][plugin-stanza]
syntax. Below is an example of a configuration (many of the values are the
default). See the next section for more information on the options.
2019-01-29 20:53:05 +00:00
```hcl
plugin "docker" {
config {
endpoint = "unix:///var/run/docker.sock"
auth {
config = "/etc/docker-auth.json"
2020-10-02 18:54:14 +00:00
helper = "ecr-login"
2019-01-29 20:53:05 +00:00
}
tls {
cert = "/etc/nomad/nomad.pub"
key = "/etc/nomad/nomad.pem"
ca = "/etc/nomad/nomad.cert"
}
2021-03-08 13:59:52 +00:00
extra_labels = ["job_name", "job_id", "task_group_name", "task_name", "namespace", "node_name", "node_id"]
2019-01-29 20:53:05 +00:00
gc {
image = true
image_delay = "3m"
container = true
2019-11-22 14:58:00 +00:00
dangling_containers {
enabled = true
dry_run = false
period = "5m"
creation_grace = "5m"
}
2019-01-29 20:53:05 +00:00
}
volumes {
enabled = true
selinuxlabel = "z"
}
allow_privileged = false
2021-05-15 23:19:23 +00:00
allow_caps = ["chown", "net_raw"]
2019-01-29 20:53:05 +00:00
}
}
```
2020-02-06 23:45:31 +00:00
2019-01-29 20:53:05 +00:00
## Plugin Options
2020-02-06 23:45:31 +00:00
- `endpoint` - If using a non-standard socket, HTTP or another location, or if
2019-01-29 20:53:05 +00:00
TLS is being used, docker.endpoint must be set. If unset, Nomad will attempt
2020-08-11 10:41:50 +00:00
to instantiate a Docker client using the `DOCKER_HOST` environment variable and
2019-01-29 20:53:05 +00:00
then fall back to the default listen address for the given operating system.
2020-08-11 10:41:50 +00:00
Defaults to `unix:///var/run/docker.sock` on Unix platforms and
`npipe:////./pipe/docker_engine` for Windows.
2019-01-29 20:53:05 +00:00
2020-02-06 23:45:31 +00:00
- `allow_privileged` - Defaults to `false`. Changing this to true will allow
2019-01-29 20:53:05 +00:00
containers to use privileged mode, which gives the containers full access to
the host's devices. Note that you must set a similar setting on the Docker
daemon for this to work.
2020-02-06 23:45:31 +00:00
- `pull_activity_timeout` - Defaults to `2m`. If Nomad receives no communication
2019-12-18 11:58:53 +00:00
from the Docker engine during an image pull within this timeframe, Nomad will
timeout the request that initiated the pull command. (Minimum of `1m`)
2021-05-15 23:19:23 +00:00
- `allow_caps` - A list of allowed Linux capabilities. Defaults to
```hcl
["audit_write", "chown", "dac_override", "fowner", "fsetid", "kill", "mknod",
"net_bind_service", "setfcap", "setgid", "setpcap", "setuid", "sys_chroot"]
```
which is the same list of capabilities allowed by [docker by default][docker_caps]
2021-05-17 18:52:52 +00:00
(without [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities can be obtained
2021-05-15 23:19:23 +00:00
by tasks using [`cap_add`][cap_add] and [`cap_drop`][cap_drop] options. Supports
the value `"all"` as a shortcut for allow-listing all capabilities supported by
the operating system.
!> **Warning:** Allowing more capabilities beyond the default may lead to
undesirable consequences, including untrusted tasks being able to compromise the
host system.
2019-01-29 20:53:05 +00:00
2020-05-12 15:07:12 +00:00
- `allow_runtimes` - defaults to `["runc", "nvidia"]` - A list of the allowed
docker runtimes a task may use.
2020-02-06 23:45:31 +00:00
- `auth` stanza:
- `config`<a id="plugin_auth_file"></a> - Allows an operator to specify a
JSON file which is in the dockercfg format containing authentication
information for a private registry, from either (in order) `auths`,
`credHelpers` or `credsStore`.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `helper`<a id="plugin_auth_helper"></a> - Allows an operator to specify a
[credsStore](https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol)
2020-08-11 10:41:50 +00:00
like script on `$PATH` to lookup authentication information from external
2020-02-06 23:45:31 +00:00
sources. The script's name must begin with `docker-credential-` and this
option should include only the basename of the script, not the path.
2020-12-01 14:05:35 +00:00
If you set an auth helper, it will be tried for all images, including
public images. If you mix private and public images, you will need to
include [`auth_soft_fail=true`] in every job using a public image.
2020-02-06 23:45:31 +00:00
- `tls` stanza:
- `cert` - Path to the server's certificate file (`.pem`). Specify this
along with `key` and `ca` to use a TLS client to connect to the docker
daemon. `endpoint` must also be specified or this setting will be ignored.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `key` - Path to the client's private key (`.pem`). Specify this along with
`cert` and `ca` to use a TLS client to connect to the docker daemon.
`endpoint` must also be specified or this setting will be ignored.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `ca` - Path to the server's CA file (`.pem`). Specify this along with
`cert` and `key` to use a TLS client to connect to the docker daemon.
`endpoint` must also be specified or this setting will be ignored.
- `disable_log_collection` - Defaults to `false`. Setting this to true will
disable Nomad logs collection of Docker tasks. If you don't rely on nomad log
capabilities and exclusively use host based log aggregation, you may consider
this option to disable nomad log collection overhead.
2021-03-12 21:04:33 +00:00
- `extra_labels` - Extra labels to add to Docker containers.
2021-03-31 13:43:17 +00:00
Available options are `job_name`, `job_id`, `task_group_name`, `task_name`,
`namespace`, `node_name`, `node_id`. Globs are supported (e.g. `task*`)
2021-03-08 13:59:52 +00:00
2021-03-12 21:04:33 +00:00
- `logging` stanza:
- `type` - Defaults to `"json-file"`. Specifies the logging driver docker
should use for all containers Nomad starts. Note that for older versions
of Docker, only `json-file` file or `journald` will allow Nomad to read
the driver's logs via the Docker API, and this will prevent commands such
as `nomad alloc logs` from functioning.
- `config` - Defaults to `{ max-file = "2", max-size = "2m" }`. This option
can also be used to pass further
[configuration](https://docs.docker.com/config/containers/logging/configure/)
to the logging driver.
2020-02-06 23:45:31 +00:00
- `gc` stanza:
- `image` - Defaults to `true`. Changing this to `false` will prevent Nomad
from removing images from stopped tasks.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `image_delay` - A time duration, as [defined
here](https://golang.org/pkg/time/#ParseDuration), that defaults to `3m`.
The delay controls how long Nomad will wait between an image being unused
and deleting it. If a tasks is received that uses the same image within
the delay, the image will be reused.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `container` - Defaults to `true`. This option can be used to disable Nomad
from removing a container when the task exits. Under a name conflict,
Nomad may still remove the dead container.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `dangling_containers` stanza for controlling dangling container detection
and cleanup:
- `enabled` - Defaults to `true`. Enables dangling container handling.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `dry_run` - Defaults to `false`. Only log dangling containers without
cleaning them up.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `period` - Defaults to `"5m"`. A time duration that controls interval
between Nomad scans for dangling containers.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `creation_grace` - Defaults to `"5m"`. Grace period after a container is
created during which the GC ignores it. Only used to prevent the GC from
removing newly created containers before they are registered with the
GC. Should not need adjusting higher but may be adjusted lower to GC
more aggressively.
- `volumes` stanza:
2020-06-24 02:48:52 +00:00
- `enabled` - Defaults to `false`. Allows tasks to bind host paths
2020-02-06 23:45:31 +00:00
(`volumes`) inside their container and use volume drivers
(`volume_driver`). Binding relative paths is always allowed and will be
resolved relative to the allocation's directory.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `selinuxlabel` - Allows the operator to set a SELinux label to the
allocation and task local bind-mounts to containers. If used with
`docker.volumes.enabled` set to false, the labels will still be applied to
the standard binds in the container.
- `infra_image` - This is the Docker image to use when creating the parent
2020-09-23 18:44:27 +00:00
container necessary when sharing network namespaces between tasks. Defaults to
2020-09-30 13:48:40 +00:00
`gcr.io/google_containers/pause-<goarch>:3.1`.
2019-06-14 15:42:32 +00:00
2020-08-14 08:40:24 +00:00
- `infra_image_pull_timeout` - A time duration that controls how long Nomad will
wait before cancelling an in-progress pull of the Docker image as specified in
`infra_image`. Defaults to `"5m"`.
2016-10-19 00:36:19 +00:00
## Client Configuration
2015-09-25 06:40:30 +00:00
2019-01-29 20:53:05 +00:00
~> Note: client configuration options will soon be deprecated. Please use
[plugin options][plugin-options] instead. See the [plugin stanza][plugin-stanza]
documentation for more information.
2016-03-22 21:29:47 +00:00
The `docker` driver has the following [client configuration
2020-02-06 23:45:31 +00:00
options](/docs/configuration/client#options):
2015-09-25 06:40:30 +00:00
2020-02-06 23:45:31 +00:00
- `docker.endpoint` - If using a non-standard socket, HTTP or another location,
2017-11-13 18:20:40 +00:00
or if TLS is being used, `docker.endpoint` must be set. If unset, Nomad will
attempt to instantiate a Docker client using the `DOCKER_HOST` environment
variable and then fall back to the default listen address for the given
2017-11-13 18:45:21 +00:00
operating system. Defaults to `unix:///var/run/docker.sock` on Unix platforms
2017-11-13 18:20:40 +00:00
and `npipe:////./pipe/docker_engine` for Windows.
2015-09-25 06:40:30 +00:00
2020-02-06 23:45:31 +00:00
- `docker.auth.config` <a id="auth_file"></a>- Allows an operator to specify a
2017-02-27 19:02:01 +00:00
JSON file which is in the dockercfg format containing authentication
2017-05-29 10:44:13 +00:00
information for a private registry, from either (in order) `auths`,
`credHelpers` or `credsStore`.
2020-02-06 23:45:31 +00:00
- `docker.auth.helper` <a id="auth_helper"></a>- Allows an operator to specify a
2019-01-29 20:53:05 +00:00
[credsStore](https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol)
2020-02-06 23:45:31 +00:00
-like script on \$PATH to lookup authentication information from external
2017-10-11 20:19:40 +00:00
sources. The script's name must begin with `docker-credential-` and this
option should include only the basename of the script, not the path.
2016-02-06 13:43:30 +00:00
2020-02-06 23:45:31 +00:00
- `docker.tls.cert` - Path to the server's certificate file (`.pem`). Specify
2015-11-20 23:47:03 +00:00
this along with `docker.tls.key` and `docker.tls.ca` to use a TLS client to
2019-01-29 20:53:05 +00:00
connect to the docker daemon. `docker.endpoint` must also be specified or this
setting will be ignored.
2015-11-20 23:47:03 +00:00
2020-02-06 23:45:31 +00:00
- `docker.tls.key` - Path to the client's private key (`.pem`). Specify this
2015-11-20 23:47:03 +00:00
along with `docker.tls.cert` and `docker.tls.ca` to use a TLS client to
2019-01-29 20:53:05 +00:00
connect to the docker daemon. `docker.endpoint` must also be specified or this
setting will be ignored.
2015-11-20 23:47:03 +00:00
2020-02-06 23:45:31 +00:00
- `docker.tls.ca` - Path to the server's CA file (`.pem`). Specify this along
2015-11-20 23:47:03 +00:00
with `docker.tls.cert` and `docker.tls.key` to use a TLS client to connect to
the docker daemon. `docker.endpoint` must also be specified or this setting
will be ignored.
2020-02-06 23:45:31 +00:00
- `docker.cleanup.image` Defaults to `true`. Changing this to `false` will
2015-10-08 07:08:54 +00:00
prevent Nomad from removing images from stopped tasks.
2020-02-06 23:45:31 +00:00
- `docker.cleanup.image.delay` A time duration, as [defined
2017-10-16 17:08:35 +00:00
here](https://golang.org/pkg/time/#ParseDuration), that defaults to `3m`. The
delay controls how long Nomad will wait between an image being unused and
deleting it. If a tasks is received that uses the same image within the delay,
the image will be reused.
2017-02-24 21:20:40 +00:00
2020-06-24 02:48:52 +00:00
- `docker.volumes.enabled`: Defaults to `false`. Allows tasks to bind host paths
2017-02-23 23:20:53 +00:00
(`volumes`) inside their container and use volume drivers (`volume_driver`).
Binding relative paths is always allowed and will be resolved relative to the
allocation's directory.
2016-09-27 20:13:55 +00:00
2020-02-06 23:45:31 +00:00
- `docker.volumes.selinuxlabel`: Allows the operator to set a SELinux label to
2019-01-29 20:53:05 +00:00
the allocation and task local bind-mounts to containers. If used with
`docker.volumes.enabled` set to false, the labels will still be applied to the
standard binds in the container.
2016-06-16 20:41:02 +00:00
2020-02-06 23:45:31 +00:00
- `docker.privileged.enabled` Defaults to `false`. Changing this to `true` will
2015-11-19 00:30:37 +00:00
allow containers to use `privileged` mode, which gives the containers full
2015-11-19 00:45:39 +00:00
access to the host's devices. Note that you must set a similar setting on the
Docker daemon for this to work.
2015-11-06 00:40:20 +00:00
2020-10-13 12:02:29 +00:00
- `docker.caps.allowlist`: A list of allowed Linux capabilities. Defaults to
2020-02-06 23:45:31 +00:00
`"CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP, SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE"`, which is the list of
2019-01-29 20:53:05 +00:00
capabilities allowed by docker by default, as [defined
here](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
Allows the operator to control which capabilities can be obtained by tasks
using `cap_add` and `cap_drop` options. Supports the value `"ALL"` as a
2020-10-13 12:02:29 +00:00
shortcut for allowlisting all capabilities.
2018-01-21 11:14:24 +00:00
2020-02-06 23:45:31 +00:00
- `docker.cleanup.container`: Defaults to `true`. This option can be used to
2018-07-25 19:10:44 +00:00
disable Nomad from removing a container when the task exits. Under a name
conflict, Nomad may still remove the dead container.
2020-02-06 23:45:31 +00:00
- `docker.nvidia_runtime`: Defaults to `nvidia`. This option allows operators to select the runtime that should be used in order to expose Nvidia GPUs to the container.
2018-12-18 01:03:43 +00:00
2015-10-08 07:08:54 +00:00
Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`,
2015-11-20 23:47:03 +00:00
`DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. If
`docker.endpoint` is set Nomad will **only** read client configuration from the
2016-07-18 14:24:30 +00:00
config file.
2015-10-08 07:08:54 +00:00
2016-09-28 02:12:56 +00:00
An example is given below:
2016-03-22 21:29:47 +00:00
2016-10-03 21:35:20 +00:00
```hcl
client {
2017-02-27 21:34:43 +00:00
options {
2016-10-03 21:35:20 +00:00
"docker.cleanup.image" = "false"
}
}
2016-03-22 21:29:47 +00:00
```
2016-10-19 00:36:19 +00:00
## Client Attributes
2015-09-25 02:33:06 +00:00
2015-09-25 06:40:30 +00:00
The `docker` driver will set the following client attributes:
2015-09-25 02:33:06 +00:00
2020-02-06 23:45:31 +00:00
- `driver.docker` - This will be set to "1", indicating the driver is
2015-11-18 01:20:28 +00:00
available.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `driver.docker.bridge_ip` - The IP of the Docker bridge network if one
2017-07-07 17:17:44 +00:00
exists.
2020-12-03 00:02:03 +00:00
2020-02-06 23:45:31 +00:00
- `driver.docker.version` - This will be set to version of the docker server.
2016-10-03 21:00:32 +00:00
Here is an example of using these properties in a job file:
```hcl
job "docs" {
# Require docker version higher than 1.2.
constraint {
attribute = "${driver.docker.version}"
operator = ">"
version = "1.2"
}
}
```
2015-09-25 02:33:06 +00:00
## Resource Isolation
### CPU
2015-11-18 01:20:28 +00:00
Nomad limits containers' CPU based on CPU shares. CPU shares allow containers
to burst past their CPU limits. CPU limits will only be imposed when there is
2015-09-25 02:33:06 +00:00
contention for resources. When the host is under load your process may be
2017-07-17 18:41:50 +00:00
throttled to stabilize QoS depending on how many shares it has. You can see how
2015-11-18 01:20:28 +00:00
many CPU shares are available to your process by reading `NOMAD_CPU_LIMIT`.
2017-07-17 18:41:50 +00:00
1000 shares are approximately equal to 1 GHz.
2015-09-25 02:33:06 +00:00
Please keep the implications of CPU shares in mind when you load test workloads
on Nomad.
### Memory
Nomad limits containers' memory usage based on total virtual memory. This means
that containers scheduled by Nomad cannot use swap. This is to ensure that a
2015-11-18 01:20:28 +00:00
swappy process does not degrade performance for other workloads on the same
host.
2015-09-25 02:33:06 +00:00
Since memory is not an elastic resource, you will need to make sure your
container does not exceed the amount of memory allocated to it, or it will be
terminated or crash when it tries to malloc. A process can inspect its memory
limit by reading `NOMAD_MEMORY_LIMIT`, but will need to track its own memory
2017-07-17 18:41:50 +00:00
usage. Memory limit is expressed in megabytes so 1024 = 1 GB.
2015-09-25 02:33:06 +00:00
### IO
2017-07-17 18:41:50 +00:00
Nomad's Docker integration does not currently provide QoS around network or
2015-09-25 02:33:06 +00:00
filesystem IO. These will be added in a later release.
### Security
Docker provides resource isolation by way of
[cgroups and namespaces](https://docs.docker.com/introduction/understanding-docker/#the-underlying-technology).
2015-11-18 01:20:28 +00:00
Containers essentially have a virtual file system all to themselves. If you
need a higher degree of isolation between processes for security or other
reasons, it is recommended to use full virtualization like
2020-02-06 23:45:31 +00:00
[QEMU](/docs/drivers/qemu).
2016-10-11 23:50:10 +00:00
2019-11-22 14:58:00 +00:00
## Caveats
### Dangling Containers
2019-11-22 18:03:20 +00:00
Nomad 0.10.2 introduces a detector and a reaper for dangling Docker containers,
2019-11-22 14:58:00 +00:00
containers that Nomad starts yet does not manage or track. Though rare, they
2019-11-22 18:07:54 +00:00
lead to unexpectedly running services, potentially with stale versions.
2019-11-22 14:58:00 +00:00
2019-11-22 18:03:20 +00:00
When Docker daemon becomes unavailable as Nomad starts a task, it is possible
2019-11-22 18:22:14 +00:00
for Docker to successfully start the container but return a 500 error code from
the API call. In such cases, Nomad retries and eventually aims to kill such
2019-11-22 14:58:00 +00:00
containers. However, if the Docker Engine remains unhealthy, subsequent retries
and stop attempts may still fail, and the started container becomes a dangling
2019-11-22 18:03:20 +00:00
container that Nomad no longer manages.
2019-11-22 14:58:00 +00:00
The newly added reaper periodically scans for such containers. It only targets
containers with a `com.hashicorp.nomad.allocation_id` label, or match Nomad's
conventions for naming and bind-mounts (i.e. `/alloc`, `/secrets`, `local`).
Containers that don't match Nomad container patterns are left untouched.
2019-11-22 18:22:14 +00:00
Operators can run the reaper in a dry-run mode, where it only logs dangling
container ids without killing them, or disable it by setting the
`gc.dangling_containers` config stanza.
2019-11-22 14:58:00 +00:00
### Docker for Windows
2017-09-29 00:22:25 +00:00
Docker for Windows only supports running Windows containers. Because Docker for
Windows is relatively new and rapidly evolving you may want to consult the
2020-02-06 23:45:31 +00:00
[list of relevant issues on GitHub][winissues].
2017-09-29 00:22:25 +00:00
2021-04-29 23:53:12 +00:00
[faq-win-mac]: /docs/faq#q-how-to-connect-to-my-host-network-when-using-docker-desktop-windows-and-macos
2020-12-03 15:19:22 +00:00
[winissues]: https://github.com/hashicorp/nomad/issues?q=is%3Aopen+is%3Aissue+label%3Atheme%2Fdriver%2Fdocker+label%3Atheme%2Fplatform-windows
2019-01-29 20:53:05 +00:00
[plugin-options]: #plugin-options
2020-02-06 23:45:31 +00:00
[plugin-stanza]: /docs/configuration/plugin
2020-10-15 14:20:56 +00:00
[allocation working directory]: /docs/runtime/environment#task-directories 'Task Directories'
2020-12-01 14:05:35 +00:00
[`auth_soft_fail=true`]: #auth_soft_fail
2021-05-15 23:19:23 +00:00
[cap_add]: /docs/drivers/docker#cap_add
[cap_drop]: /docs/drivers/docker#cap_drop
[no_net_raw]: /docs/upgrade/upgrade-specific#nomad-1-1-0-rc1-1-0-5-0-12-12
[docker_caps]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
[allow_caps]: /docs/drivers/docker#allow_caps
2021-06-08 12:59:27 +00:00
[Connect]: /docs/job-specification/connect
2021-06-16 18:55:22 +00:00
[`bridge`]: docs/job-specification/network#bridge