158 lines
4.6 KiB
Plaintext
158 lines
4.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: 'Drivers: Raw Exec'
|
|
description: The Raw Exec task driver simply fork/execs and provides no isolation.
|
|
---
|
|
|
|
# Raw Fork/Exec Driver
|
|
|
|
Name: `raw_exec`
|
|
|
|
The `raw_exec` driver is used to execute a command for a task without any
|
|
isolation. Further, the task is started as the same user as the Nomad process.
|
|
As such, it should be used with extreme care and is disabled by default.
|
|
|
|
## Task Configuration
|
|
|
|
```hcl
|
|
task "webservice" {
|
|
driver = "raw_exec"
|
|
|
|
config {
|
|
command = "my-binary"
|
|
args = ["-flag", "1"]
|
|
}
|
|
}
|
|
```
|
|
|
|
The `raw_exec` driver supports the following configuration in the job spec:
|
|
|
|
- `command` - The command to execute. Must be provided. If executing a binary
|
|
that exists on the host, the path must be absolute. If executing a binary that
|
|
is downloaded from an [`artifact`](/docs/job-specification/artifact), the
|
|
path can be relative from the allocation's root directory.
|
|
|
|
- `args` - (Optional) A list of arguments to the `command`. References
|
|
to environment variables or any [interpretable Nomad
|
|
variables](/docs/runtime/interpolation) will be interpreted before
|
|
launching the task.
|
|
|
|
## Examples
|
|
|
|
To run a binary present on the Node:
|
|
|
|
```
|
|
task "example" {
|
|
driver = "raw_exec"
|
|
|
|
config {
|
|
# When running a binary that exists on the host, the path must be absolute/
|
|
command = "/bin/sleep"
|
|
args = ["1"]
|
|
}
|
|
}
|
|
```
|
|
|
|
To execute a binary downloaded from an [`artifact`](/docs/job-specification/artifact):
|
|
|
|
```
|
|
task "example" {
|
|
driver = "raw_exec"
|
|
|
|
config {
|
|
command = "name-of-my-binary"
|
|
}
|
|
|
|
artifact {
|
|
source = "https://internal.file.server/name-of-my-binary"
|
|
options {
|
|
checksum = "sha256:abd123445ds4555555555"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## Capabilities
|
|
|
|
The `raw_exec` driver implements the following [capabilities](/docs/internals/plugins/task-drivers#capabilities-capabilities-error).
|
|
|
|
| Feature | Implementation |
|
|
| -------------------- | -------------- |
|
|
| `nomad alloc signal` | true |
|
|
| `nomad alloc exec` | true |
|
|
| filesystem isolation | none |
|
|
| network isolation | host, group |
|
|
| volume mounting | none |
|
|
|
|
## Client Requirements
|
|
|
|
The `raw_exec` driver can run on all supported operating systems. For security
|
|
reasons, it is disabled by default. To enable raw exec, the Nomad client
|
|
configuration must explicitly enable the `raw_exec` driver in the plugin's options:
|
|
|
|
```
|
|
plugin "raw_exec" {
|
|
config {
|
|
enabled = true
|
|
}
|
|
}
|
|
```
|
|
|
|
Nomad versions before v0.9 use the following client configuration. This configuration is
|
|
also supported in Nomad v0.9.0, but is deprecated in favor of the plugin stanza:
|
|
|
|
```
|
|
client {
|
|
options = {
|
|
"driver.raw_exec.enable" = "1"
|
|
}
|
|
}
|
|
```
|
|
|
|
## Plugin Options
|
|
|
|
- `enabled` - Specifies whether the driver should be enabled or disabled.
|
|
Defaults to `false`.
|
|
|
|
- `no_cgroups` - Specifies whether the driver should not use
|
|
cgroups to manage the process group launched by the driver. By default,
|
|
cgroups are used to manage the process tree to ensure full cleanup of all
|
|
processes started by the task. The driver uses cgroups by default on
|
|
Linux and when `/sys/fs/cgroup/freezer/nomad` is writable for the
|
|
Nomad process. Using a cgroup significantly reduces Nomad's CPU
|
|
usage when collecting process metrics.
|
|
|
|
## Client Options
|
|
|
|
~> Note: client configuration options will soon be deprecated. Please use
|
|
[plugin options][plugin-options] instead. See the [plugin stanza][plugin-stanza] documentation for more information.
|
|
|
|
- `driver.raw_exec.enable` - Specifies whether the driver should be enabled or
|
|
disabled. Defaults to `false`.
|
|
|
|
- `driver.raw_exec.no_cgroups` - Specifies whether the driver should not use
|
|
cgroups to manage the process group launched by the driver. By default,
|
|
cgroups are used to manage the process tree to ensure full cleanup of all
|
|
processes started by the task. The driver only uses cgroups when Nomad is
|
|
launched as root, on Linux and when cgroups are detected.
|
|
|
|
## Client Attributes
|
|
|
|
The `raw_exec` driver will set the following client attributes:
|
|
|
|
- `driver.raw_exec` - This will be set to "1", indicating the driver is available.
|
|
|
|
## Resource Isolation
|
|
|
|
The `raw_exec` driver provides no isolation.
|
|
|
|
If the launched process creates a new process group, it is possible that Nomad
|
|
will leak processes on shutdown unless the application forwards signals
|
|
properly. Nomad will not leak any processes if cgroups are being used to manage
|
|
the process tree. Cgroups are used on Linux when Nomad is being run with
|
|
appropriate privileges, the cgroup system is mounted and the operator hasn't
|
|
disabled cgroups for the driver.
|
|
|
|
[plugin-options]: #plugin-options
|
|
[plugin-stanza]: /docs/configuration/plugin
|