228 lines
6.8 KiB
Plaintext
228 lines
6.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: 'Drivers: Rkt'
|
|
description: The rkt task driver is used to run application containers using rkt.
|
|
---
|
|
|
|
~> **Deprecation Warning!**
|
|
Nomad introduced the rkt driver in version 0.2.0. The rkt project had some
|
|
early adoption; in recent times user adoption has trended away from rkt towards
|
|
other projects. Project activity has declined and there are unpatched CVEs.
|
|
The project has been [archived by the CNCF](https://github.com/rkt/rkt/issues/4004#issuecomment-507358362)
|
|
|
|
Nomad 0.11 converted the rkt driver to an external driver. We will not prioritize features
|
|
or pull requests that affect the rkt driver. The external driver is available as an [open source
|
|
repository](https://github.com/hashicorp/nomad-driver-rkt) for community ownership.
|
|
|
|
# Rkt Driver
|
|
|
|
Name: `rkt`
|
|
|
|
The `rkt` driver provides an interface for using rkt for running
|
|
application containers.
|
|
|
|
## Task Configuration
|
|
|
|
```hcl
|
|
task "webservice" {
|
|
driver = "rkt"
|
|
|
|
config {
|
|
image = "redis:3.2"
|
|
}
|
|
}
|
|
```
|
|
|
|
The `rkt` driver supports the following configuration in the job spec:
|
|
|
|
- `image` - The image to run. May be specified by name, hash, ACI address
|
|
or docker registry.
|
|
|
|
```hcl
|
|
config {
|
|
image = "https://hub.docker.internal/redis:3.2"
|
|
}
|
|
```
|
|
|
|
- `command` - (Optional) A command to execute on the ACI.
|
|
|
|
```hcl
|
|
config {
|
|
command = "my-command"
|
|
}
|
|
```
|
|
|
|
- `args` - (Optional) A list of arguments to the optional `command`. References
|
|
to environment variables or any [interpretable Nomad
|
|
variables](/docs/runtime/interpolation) will be interpreted before
|
|
launching the task.
|
|
|
|
```hcl
|
|
config {
|
|
args = [
|
|
"-bind", "${NOMAD_PORT_http}",
|
|
"${nomad.datacenter}",
|
|
"${MY_ENV}",
|
|
"${meta.foo}",
|
|
]
|
|
}
|
|
```
|
|
|
|
- `trust_prefix` - (Optional) The trust prefix to be passed to rkt. Must be
|
|
reachable from the box running the nomad agent. If not specified, the image is
|
|
run with `--insecure-options=all`.
|
|
|
|
- `insecure_options` - (Optional) List of insecure options for rkt. Consult `rkt --help`
|
|
for list of supported values. This list overrides the `--insecure-options=all` default when
|
|
no `trust_prefix` is provided in the job config, which can be effectively used to enforce
|
|
secure runs, using `insecure_options = ["none"]` option.
|
|
|
|
```hcl
|
|
config {
|
|
image = "example.com/image:1.0"
|
|
insecure_options = ["image", "tls", "ondisk"]
|
|
}
|
|
```
|
|
|
|
- `dns_servers` - (Optional) A list of DNS servers to be used in the container.
|
|
Alternatively a list containing just `host` or `none`. `host` uses the host's
|
|
`resolv.conf` while `none` forces use of the image's name resolution configuration.
|
|
|
|
- `dns_search_domains` - (Optional) A list of DNS search domains to be used in
|
|
the containers.
|
|
|
|
- `net` - (Optional) A list of networks to be used by the containers
|
|
|
|
- `port_map` - (Optional) A key/value map of ports used by the container. The
|
|
value is the port name specified in the image manifest file. When running
|
|
Docker images with rkt the port names will be of the form `${PORT}-tcp`. See
|
|
[networking](#networking) below for more details.
|
|
|
|
```hcl
|
|
port_map {
|
|
# If running a Docker image that exposes port 8080
|
|
app = "8080-tcp"
|
|
}
|
|
```
|
|
|
|
* `debug` - (Optional) Enable rkt command debug option.
|
|
|
|
* `no_overlay` - (Optional) When enabled, will use `--no-overlay=true` flag for 'rkt run'.
|
|
Useful when running jobs on older systems affected by https://github.com/rkt/rkt/issues/1922
|
|
|
|
* `volumes` - (Optional) A list of `host_path:container_path[:readOnly]` strings to bind
|
|
host paths to container paths.
|
|
Mount is done read-write by default; an optional third parameter `readOnly` can be provided
|
|
to make it read-only.
|
|
|
|
```hcl
|
|
config {
|
|
volumes = ["/path/on/host:/path/in/container", "/readonly/path/on/host:/path/in/container:readOnly"]
|
|
}
|
|
```
|
|
|
|
* `group` - (Optional) Specifies the group that will run the task. Sets the
|
|
`--group` flag and overrides the group specified by the image. The
|
|
[`user`][user] may be specified at the task level.
|
|
|
|
## Networking
|
|
|
|
The `rkt` can specify `--net` and `--port` for the rkt client. Hence, there are two ways to use host ports by
|
|
using `--net=host` or `--port=PORT` with your network.
|
|
|
|
Example:
|
|
|
|
```hcl
|
|
task "redis" {
|
|
# Use rkt to run the task.
|
|
driver = "rkt"
|
|
|
|
config {
|
|
# Use docker image with port defined
|
|
image = "docker://redis:latest"
|
|
port_map {
|
|
app = "6379-tcp"
|
|
}
|
|
}
|
|
|
|
service {
|
|
port = "app"
|
|
}
|
|
|
|
resources {
|
|
network {
|
|
port "app" {
|
|
static = 12345
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
### Allocating Ports
|
|
|
|
You can allocate ports to your task using the port syntax described on the
|
|
[networking page](/docs/job-specification/network).
|
|
|
|
When you use port allocation, the image manifest needs to declare public ports and host has configured network.
|
|
For more information, please refer to [rkt Networking](https://coreos.com/rkt/docs/latest/networking/overview).
|
|
|
|
## Client Requirements
|
|
|
|
The `rkt` driver requires the following:
|
|
|
|
- The Nomad client agent to be running as the root user.
|
|
- rkt to be installed and in your system's `$PATH`.
|
|
- The `trust_prefix` must be accessible by the node running Nomad. This can be an
|
|
internal source, private to your cluster, but it must be reachable by the client
|
|
over HTTP.
|
|
|
|
## Plugin Options
|
|
|
|
- `volumes_enabled` - Defaults to `true`. Allows tasks to bind host paths
|
|
(`volumes`) inside their container. Binding relative paths is always allowed
|
|
and will be resolved relative to the allocation's directory.
|
|
|
|
## Client Configuration
|
|
|
|
~> Note: client configuration options will soon be deprecated. Please use [plugin options][plugin-options] instead. See the [plugin stanza][plugin-stanza] documentation for more information.
|
|
|
|
The `rkt` driver has the following [client configuration
|
|
options](/docs/configuration/client#options):
|
|
|
|
- `rkt.volumes.enabled` - Defaults to `true`. Allows tasks to bind host paths
|
|
(`volumes`) inside their container. Binding relative paths is always allowed
|
|
and will be resolved relative to the allocation's directory.
|
|
|
|
## Client Attributes
|
|
|
|
The `rkt` driver will set the following client attributes:
|
|
|
|
- `driver.rkt` - Set to `1` if rkt is found on the host node. Nomad determines
|
|
this by executing `rkt version` on the host and parsing the output
|
|
- `driver.rkt.version` - Version of `rkt` e.g.: `1.27.0`. Note that the minimum required
|
|
version is `1.27.0`
|
|
- `driver.rkt.appc.version` - Version of `appc` that `rkt` is using e.g.: `1.1.0`
|
|
|
|
Here is an example of using these properties in a job file:
|
|
|
|
```hcl
|
|
job "docs" {
|
|
# Only run this job where the rkt version is higher than 0.8.
|
|
constraint {
|
|
attribute = "${driver.rkt.version}"
|
|
operator = ">"
|
|
value = "1.2"
|
|
}
|
|
}
|
|
```
|
|
|
|
## Resource Isolation
|
|
|
|
This driver supports CPU and memory isolation by delegating to `rkt`. Network
|
|
isolation is not supported as of now.
|
|
|
|
[user]: /docs/job-specification/task#user
|
|
[plugin-options]: #plugin-options
|
|
[plugin-stanza]: /docs/configuration/plugin
|