Go to file
grembo 7936c1e33f
Add `disable_file` parameter to job's `vault` stanza (#13343)
This complements the `env` parameter, so that the operator can author
tasks that don't share their Vault token with the workload when using 
`image` filesystem isolation. As a result, more powerful tokens can be used 
in a job definition, allowing it to use template stanzas to issue all kinds of 
secrets (database secrets, Vault tokens with very specific policies, etc.), 
without sharing that issuing power with the task itself.

This is accomplished by creating a directory called `private` within
the task's working directory, which shares many properties of
the `secrets` directory (tmpfs where possible, not accessible by
`nomad alloc fs` or Nomad's web UI), but isn't mounted into/bound to the
container.

If the `disable_file` parameter is set to `false` (its default), the Vault token
is also written to the NOMAD_SECRETS_DIR, so the default behavior is
backwards compatible. Even if the operator never changes the default,
they will still benefit from the improved behavior of Nomad never reading
the token back in from that - potentially altered - location.
2023-06-23 15:15:04 -04:00
.changelog Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
.github release pipeline: fix ref arguments in invoking workflow (#17684) 2023-06-22 15:33:19 -04:00
.release [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
.semgrep [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
.tours Make number of scheduler workers reloadable (#11593) 2022-01-06 11:56:13 -05:00
acl node pools: list nodes in pool (#17413) 2023-06-06 10:43:43 -04:00
api Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
ci [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
client Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
command Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
contributing build: update to go1.20.5 (#17451) 2023-06-07 11:44:59 -04:00
demo compliance: add headers with fixed copywrite tool (#17353) 2023-05-30 09:20:32 -05:00
dev repo: block pushing to release branches in git hook (#17377) 2023-06-01 09:36:20 -05:00
drivers Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
e2e e2e: create a v3/ set of packages for creating Nomad e2e tests (#17620) 2023-06-23 09:10:49 -05:00
helper node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
integrations Update metric names (#16894) 2023-04-18 13:25:42 -07:00
internal/testing/apitests [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
jobspec Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
jobspec2 Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
lib dep: update from jwt/v4 to jwt/v5 (#17062) 2023-05-03 11:17:38 -07:00
nomad Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
plugins docker: stop network pause container of lost alloc after node restart (#17455) 2023-06-09 08:46:29 -05:00
scheduler core: remove unnecessary call to SetNodes and adds DC downgrade test (#17655) 2023-06-22 13:26:14 -04:00
scripts Moves to the current LTS release of Node for our build and release workflows (#17639) 2023-06-21 15:17:24 -04:00
terraform ci: run 'make check' as reusable workflow (#17600) 2023-06-20 08:17:13 +01:00
testutil tests: enable newer windows (#17401) 2023-06-02 11:38:38 -05:00
tools tools: update dependencies and use tree set (#16974) 2023-04-25 07:47:19 -05:00
ui Merge pull request #17691 from hashicorp/f/missing-chart-stories 2023-06-23 08:17:34 -07:00
version node pools: prevent panic on upsert during upgrades (#17474) 2023-06-12 09:01:30 -04:00
website Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
.copywrite.hcl build: add agent bindata file to copywrite ignore list. (#17507) 2023-06-14 11:13:59 +01:00
.git-blame-ignore-revs add copywrite headers commit to ignore-revs config file (#17037) 2023-05-01 10:57:43 -04:00
.gitattributes Remove invalid gitattributes 2018-02-14 14:47:43 -08:00
.gitignore git: ignore .fleet directory (#16144) 2023-02-13 07:39:30 -06:00
.go-version build: update to go1.20.5 (#17451) 2023-06-07 11:44:59 -04:00
.golangci.yml [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
.semgrepignore build: disable semgrep on structs.go for now 2022-02-01 10:09:49 -06:00
CHANGELOG.md post 1.5.6 release (#17276) 2023-05-22 14:03:51 -05:00
CODEOWNERS build: update deprecated GitHub Actions (#17218) 2023-05-17 08:57:28 -04:00
GNUmakefile ci: remove circleci (#17502) 2023-06-12 16:28:19 -05:00
LICENSE [COMPLIANCE] Update MPL 2.0 LICENSE (#14884) 2022-10-13 08:43:12 -04:00
README.md Adds public roadmap project to readme 2023-03-20 15:11:38 -07:00
Vagrantfile dev: make cni, consul, dev, docker, and vault scripts Lima compat. (#16689) 2023-03-28 16:21:14 +01:00
build_linux_arm.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
go.mod build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (#17584) 2023-06-19 08:21:45 +01:00
go.sum build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (#17584) 2023-06-19 08:21:45 +01:00
main.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
main_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00

README.md

Nomad License: MPL 2.0 Discuss

HashiCorp Nomad logo

Nomad is a simple and flexible workload orchestrator to deploy and manage containers (docker, podman), non-containerized applications (executable, Java), and virtual machines (qemu) across on-prem and clouds at scale.

Nomad is supported on Linux, Windows, and macOS. A commercial version of Nomad, Nomad Enterprise, is also available.

Nomad provides several key features:

  • Deploy Containers and Legacy Applications: Nomads flexibility as an orchestrator enables an organization to run containers, legacy, and batch applications together on the same infrastructure. Nomad brings core orchestration benefits to legacy applications without needing to containerize via pluggable task drivers.

  • Simple & Reliable: Nomad runs as a single binary and is entirely self contained - combining resource management and scheduling into a single system. Nomad does not require any external services for storage or coordination. Nomad automatically handles application, node, and driver failures. Nomad is distributed and resilient, using leader election and state replication to provide high availability in the event of failures.

  • Device Plugins & GPU Support: Nomad offers built-in support for GPU workloads such as machine learning (ML) and artificial intelligence (AI). Nomad uses device plugins to automatically detect and utilize resources from hardware devices such as GPU, FPGAs, and TPUs.

  • Federation for Multi-Region, Multi-Cloud: Nomad was designed to support infrastructure at a global scale. Nomad supports federation out-of-the-box and can deploy applications across multiple regions and clouds.

  • Proven Scalability: Nomad is optimistically concurrent, which increases throughput and reduces latency for workloads. Nomad has been proven to scale to clusters of 10K+ nodes in real-world production environments.

  • HashiCorp Ecosystem: Nomad integrates seamlessly with Terraform, Consul, Vault for provisioning, service discovery, and secrets management.

Quick Start

Testing

See Learn: Getting Started for instructions on setting up a local Nomad cluster for non-production use.

Optionally, find Terraform manifests for bringing up a development Nomad cluster on a public cloud in the terraform directory.

Production

See Learn: Nomad Reference Architecture for recommended practices and a reference architecture for production deployments.

Documentation

Full, comprehensive documentation is available on the Nomad website: https://www.nomadproject.io/docs

Guides are available on HashiCorp Learn.

Roadmap

A timeline of major features expected for the next release or two can be found in the Public Roadmap.

This roadmap is a best guess at any given point, and both release dates and projects in each release are subject to change. Do not take any of these items as commitments, especially ones later than one major release away.

Contributing

See the contributing directory for more developer documentation.