2015-09-20 22:31:33 +00:00
|
|
|
---
|
2020-02-06 23:45:31 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: 'Drivers: Java'
|
|
|
|
description: The Java task driver is used to run Jars using the JVM.
|
2015-09-20 22:31:33 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Java Driver
|
|
|
|
|
|
|
|
Name: `java`
|
|
|
|
|
2016-10-03 21:35:20 +00:00
|
|
|
The `java` driver is used to execute Java applications packaged into a Java Jar
|
2016-03-16 16:56:04 +00:00
|
|
|
file. The driver requires the Jar file to be accessible from the Nomad
|
2020-02-06 23:45:31 +00:00
|
|
|
client via the [`artifact` downloader](/docs/job-specification/artifact).
|
2015-09-21 19:20:51 +00:00
|
|
|
|
|
|
|
## Task Configuration
|
|
|
|
|
2016-10-03 21:35:20 +00:00
|
|
|
```hcl
|
|
|
|
task "webservice" {
|
|
|
|
driver = "java"
|
|
|
|
|
|
|
|
config {
|
2017-04-13 06:35:37 +00:00
|
|
|
jar_path = "local/example.jar"
|
2016-10-03 21:35:20 +00:00
|
|
|
jvm_options = ["-Xmx2048m", "-Xms256m"]
|
|
|
|
}
|
2020-02-06 23:45:31 +00:00
|
|
|
}
|
2016-10-03 21:35:20 +00:00
|
|
|
```
|
|
|
|
|
2015-09-21 19:20:51 +00:00
|
|
|
The `java` driver supports the following configuration in the job spec:
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
- `class` - (Optional) The name of the class to run. If `jar_path` is specified
|
2017-01-14 00:03:11 +00:00
|
|
|
and the manifest specifies a main class, this is optional. If shipping classes
|
|
|
|
rather than a Jar, please specify the class to run and the `class_path`.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
- `class_path` - (Optional) The `class_path` specifies the class path used by
|
2017-01-14 00:03:11 +00:00
|
|
|
Java to lookup classes and Jars.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
- `jar_path` - (Optional) The path to the downloaded Jar. In most cases this will just be
|
2016-03-16 16:56:04 +00:00
|
|
|
the name of the Jar. However, if the supplied artifact is an archive that
|
|
|
|
contains the Jar in a subfolder, the path will need to be the relative path
|
|
|
|
(`subdir/from_archive/my.jar`).
|
2015-10-16 19:43:06 +00:00
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
- `args` - (Optional) A list of arguments to the Jar's main method. References
|
2016-10-03 21:35:20 +00:00
|
|
|
to environment variables or any [interpretable Nomad
|
2020-02-06 23:45:31 +00:00
|
|
|
variables](/docs/runtime/interpolation) will be interpreted before
|
2016-10-03 21:35:20 +00:00
|
|
|
launching the task.
|
2015-11-18 23:16:42 +00:00
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
- `jvm_options` - (Optional) A list of JVM options to be passed while invoking
|
2016-08-27 12:56:39 +00:00
|
|
|
java. These options are passed without being validated in any way by Nomad.
|
2015-09-21 19:20:51 +00:00
|
|
|
|
2021-02-08 16:36:11 +00:00
|
|
|
- `pid_mode` - (Optional) Set to `"private"` to enable PID namespace isolation for
|
|
|
|
this task, or `"host"` to disable isolation. If left unset, the behavior is
|
|
|
|
determined from the [`default_pid_mode`][default_pid_mode] in plugin configuration.
|
|
|
|
|
|
|
|
!> **Warning:** If set to `"host"`, other processes running as the same user will
|
2021-03-31 13:43:17 +00:00
|
|
|
be able to access sensitive process information like environment variables.
|
2021-02-08 16:36:11 +00:00
|
|
|
|
|
|
|
- `ipc_mode` - (Optional) Set to `"private"` to enable IPC namespace isolation for
|
|
|
|
this task, or `"host"` to disable isolation. If left unset, the behavior is
|
|
|
|
determined from the [`default_ipc_mode`][default_ipc_mode] in plugin configuration.
|
|
|
|
|
|
|
|
!> **Warning:** If set to `"host"`, other processes running as the same user will be
|
2021-03-31 13:43:17 +00:00
|
|
|
able to make use of IPC features, like sending unexpected POSIX signals.
|
2021-02-08 16:36:11 +00:00
|
|
|
|
2021-05-15 23:19:23 +00:00
|
|
|
- `cap_add` - (Optional) A list of Linux capabilities to enable for the task.
|
|
|
|
Effective capabilities (computed from `cap_add` and `cap_drop`) must be a subset
|
|
|
|
of the allowed capabilities configured with [`allow_caps`][allow_caps].
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
config {
|
|
|
|
cap_add = ["net_raw", "sys_time"]
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
- `cap_drop` - (Optional) A list of Linux capabilities to disable for the task.
|
|
|
|
Effective capabilities (computed from `cap_add` and `cap_drop`) must be a subset
|
|
|
|
of the allowed capabilities configured with [`allow_caps`][allow_caps].
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
config {
|
|
|
|
cap_drop = ["all"]
|
|
|
|
cap_add = ["chown", "sys_chroot", "mknod"]
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2015-11-03 21:16:17 +00:00
|
|
|
## Examples
|
|
|
|
|
|
|
|
A simple config block to run a Java Jar:
|
|
|
|
|
2016-10-03 21:35:20 +00:00
|
|
|
```hcl
|
2015-11-03 21:16:17 +00:00
|
|
|
task "web" {
|
|
|
|
driver = "java"
|
|
|
|
|
|
|
|
config {
|
2016-10-03 21:35:20 +00:00
|
|
|
jar_path = "local/hello.jar"
|
2016-07-20 07:31:44 +00:00
|
|
|
jvm_options = ["-Xmx2048m", "-Xms256m"]
|
2015-11-03 21:16:17 +00:00
|
|
|
}
|
2016-03-16 16:56:04 +00:00
|
|
|
|
2016-10-03 21:35:20 +00:00
|
|
|
# Specifying an artifact is required with the "java" driver. This is the
|
|
|
|
# mechanism to ship the Jar to be run.
|
2016-03-16 16:56:04 +00:00
|
|
|
artifact {
|
2016-10-03 21:35:20 +00:00
|
|
|
source = "https://internal.file.server/hello.jar"
|
2016-03-16 16:56:04 +00:00
|
|
|
|
|
|
|
options {
|
|
|
|
checksum = "md5:123445555555555"
|
|
|
|
}
|
|
|
|
}
|
2016-10-03 21:35:20 +00:00
|
|
|
}
|
2015-11-03 21:16:17 +00:00
|
|
|
```
|
|
|
|
|
2017-01-14 00:03:11 +00:00
|
|
|
A simple config block to run a Java class:
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
task "web" {
|
|
|
|
driver = "java"
|
|
|
|
|
|
|
|
config {
|
|
|
|
class = "Hello"
|
|
|
|
class_path = "${NOMAD_TASK_DIR}"
|
|
|
|
jvm_options = ["-Xmx2048m", "-Xms256m"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Specifying an artifact is required with the "java" driver. This is the
|
|
|
|
# mechanism to ship the Jar to be run.
|
|
|
|
artifact {
|
|
|
|
source = "https://internal.file.server/Hello.class"
|
|
|
|
|
|
|
|
options {
|
|
|
|
checksum = "md5:123445555555555"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2020-07-21 18:54:31 +00:00
|
|
|
## Capabilities
|
|
|
|
|
2020-07-22 16:14:20 +00:00
|
|
|
The `java` driver implements the following [capabilities](/docs/internals/plugins/task-drivers#capabilities-capabilities-error).
|
2020-07-21 18:54:31 +00:00
|
|
|
|
2020-09-30 13:48:40 +00:00
|
|
|
| Feature | Implementation |
|
|
|
|
| -------------------- | ----------------------------- |
|
|
|
|
| `nomad alloc signal` | false |
|
|
|
|
| `nomad alloc exec` | false |
|
2020-07-22 16:14:20 +00:00
|
|
|
| filesystem isolation | none, chroot (only for linux) |
|
2020-09-30 13:48:40 +00:00
|
|
|
| network isolation | host, group |
|
|
|
|
| volume mounting | none, all (only for linux) |
|
2020-07-21 18:54:31 +00:00
|
|
|
|
2021-02-04 19:01:51 +00:00
|
|
|
## Plugin Options
|
|
|
|
|
|
|
|
- `default_pid_mode` `(string: optional)` - Defaults to `"private"`. Set to
|
2021-03-31 13:43:17 +00:00
|
|
|
`"private"` to enable PID namespace isolation for tasks by default, or `"host"` to
|
|
|
|
disable isolation.
|
2021-02-04 19:01:51 +00:00
|
|
|
|
|
|
|
!> **Warning:** If set to `"host"`, other processes running as the same user will
|
2021-03-31 13:43:17 +00:00
|
|
|
be able to access sensitive process information like environment variables.
|
2021-02-04 19:01:51 +00:00
|
|
|
|
|
|
|
- `default_ipc_mode` `(string: optional)` - Defaults to `"private"`. Set to
|
2021-03-31 13:43:17 +00:00
|
|
|
`"private"` to enable IPC namespace isolation for tasks by default,
|
|
|
|
or `"host"` to disable isolation.
|
2021-02-04 19:01:51 +00:00
|
|
|
|
|
|
|
!> **Warning:** If set to `"host"`, other processes running as the same user will be
|
2021-03-31 13:43:17 +00:00
|
|
|
able to make use of IPC features, like sending unexpected POSIX signals.
|
2021-02-04 19:01:51 +00:00
|
|
|
|
2021-05-15 23:19:23 +00:00
|
|
|
- `allow_caps` - A list of allowed Linux capabilities. Defaults to
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
["audit_write", "chown", "dac_override", "fowner", "fsetid", "kill", "mknod",
|
|
|
|
"net_bind_service", "setfcap", "setgid", "setpcap", "setuid", "sys_chroot"]
|
|
|
|
```
|
|
|
|
|
|
|
|
which is modeled after the capabilities allowed by [docker by default][docker_caps]
|
|
|
|
(sans [`NET_RAW`][no_net_raw]). Allows the operator to control which capabilities
|
|
|
|
can be obtained by tasks using [`cap_add`][cap_add] and [`cap_drop`][cap_drop] options.
|
|
|
|
Supports the value `"all"` as a shortcut for allow-listing all capabilities supported
|
|
|
|
by the operating system.
|
|
|
|
|
|
|
|
!> **Warning:** Allowing more capabilities beyond the default may lead to
|
|
|
|
undesirable consequences, including untrusted tasks being able to compromise the
|
|
|
|
host system.
|
|
|
|
|
2016-03-16 16:56:04 +00:00
|
|
|
## Client Requirements
|
|
|
|
|
2016-10-03 21:00:32 +00:00
|
|
|
The `java` driver requires Java to be installed and in your system's `$PATH`. On
|
2016-09-12 16:22:31 +00:00
|
|
|
Linux, Nomad must run as root since it will use `chroot` and `cgroups` which
|
|
|
|
require root privileges. The task must also specify at least one artifact to
|
|
|
|
download, as this is the only way to retrieve the Jar being run.
|
2016-03-16 16:56:04 +00:00
|
|
|
|
2015-09-21 19:20:51 +00:00
|
|
|
## Client Attributes
|
|
|
|
|
|
|
|
The `java` driver will set the following client attributes:
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
- `driver.java` - Set to `1` if Java is found on the host node. Nomad determines
|
|
|
|
this by executing `java -version` on the host and parsing the output
|
|
|
|
- `driver.java.version` - Version of Java, ex: `1.6.0_65`
|
|
|
|
- `driver.java.runtime` - Runtime version, ex: `Java(TM) SE Runtime Environment (build 1.6.0_65-b14-466.1-11M4716)`
|
|
|
|
- `driver.java.vm` - Virtual Machine information, ex: `Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-466.1, mixed mode)`
|
2015-09-21 19:20:51 +00:00
|
|
|
|
2016-10-03 21:00:32 +00:00
|
|
|
Here is an example of using these properties in a job file:
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
job "docs" {
|
|
|
|
# Only run this job where the JVM is higher than version 1.6.0.
|
|
|
|
constraint {
|
|
|
|
attribute = "${driver.java.version}"
|
|
|
|
operator = ">"
|
|
|
|
value = "1.6.0"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2015-09-21 19:20:51 +00:00
|
|
|
## Resource Isolation
|
|
|
|
|
|
|
|
The resource isolation provided varies by the operating system of
|
|
|
|
the client and the configuration.
|
|
|
|
|
|
|
|
On Linux, Nomad will attempt to use cgroups, namespaces, and chroot
|
|
|
|
to isolate the resources of a process. If the Nomad agent is not
|
2016-08-27 12:56:39 +00:00
|
|
|
running as root, many of these mechanisms cannot be used.
|
2015-09-21 19:20:51 +00:00
|
|
|
|
2015-10-25 17:00:08 +00:00
|
|
|
As a baseline, the Java jars will be run inside a Java Virtual Machine,
|
2015-09-23 16:44:17 +00:00
|
|
|
providing a minimum amount of isolation.
|
2020-09-11 14:38:30 +00:00
|
|
|
|
|
|
|
### Chroot
|
|
|
|
|
|
|
|
The chroot created on Linux is populated with data in the following
|
|
|
|
directories from the host machine:
|
|
|
|
|
|
|
|
```
|
|
|
|
[
|
|
|
|
"/bin",
|
|
|
|
"/etc",
|
|
|
|
"/lib",
|
|
|
|
"/lib32",
|
|
|
|
"/lib64",
|
|
|
|
"/run/resolvconf",
|
|
|
|
"/sbin",
|
|
|
|
"/usr",
|
|
|
|
]
|
|
|
|
```
|
|
|
|
|
|
|
|
The task's chroot is populated by linking or copying the data from the host into
|
|
|
|
the chroot. Note that this can take considerable disk space. Since Nomad v0.5.3,
|
|
|
|
the client manages garbage collection locally which mitigates any issue this may
|
|
|
|
create.
|
|
|
|
|
|
|
|
This list is configurable through the agent client
|
|
|
|
[configuration file](/docs/configuration/client#chroot_env).
|
2021-02-08 16:36:11 +00:00
|
|
|
|
|
|
|
[default_pid_mode]: /docs/drivers/java#default_pid_mode
|
|
|
|
[default_ipc_mode]: /docs/drivers/java#default_ipc_mode
|
2021-05-15 23:19:23 +00:00
|
|
|
[cap_add]: /docs/drivers/java#cap_add
|
|
|
|
[cap_drop]: /docs/drivers/java#cap_drop
|
|
|
|
[no_net_raw]: /docs/upgrade/upgrade-specific#nomad-1-1-0-rc1-1-0-5-0-12-12
|
|
|
|
[allow_caps]: /docs/drivers/java#allow_caps
|
|
|
|
[docker_caps]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
|