open-nomad/website/pages/docs/job-specification/csi_plugin.mdx
Tim Gross caa258b924
docs: add warnings for CSI plugin jobspec (#7642)
* Node/monolith plugins require root privileges and this wasn't being
  made super clear.
* Node/monolith plugins should always be run as system jobs.
2020-04-07 07:51:50 -04:00

103 lines
3.1 KiB
Plaintext

---
layout: docs
page_title: csi_plugin Stanza - Job Specification
sidebar_title: csi_plugin
description: >-
The "csi_plugin" stanza allows the task to specify it provides a
Container Storage Interface plugin to the cluster.
---
# `csi_plugin` Stanza
<Placement groups={['job', 'group', 'task', 'volume']} />
The "csi_plugin" stanza allows the task to specify it provides a
Container Storage Interface plugin to the cluster. Nomad will
automatically register the plugin so that it can be used by other jobs
to claim [volumes][csi_volumes].
```hcl
csi_plugin {
id = "csi-hostpath"
type = "monolith"
mount_dir = "/csi"
}
```
## `csi_plugin` Parameters
- `id` `(string: <required>)` - This is the ID for the plugin. Some
plugins will require both controller and node plugin types (see
below); you need to use the same ID for both so that Nomad knows the
belong to the same plugin.
- `type` `(string: <required>)` - One of `node`, `controller`, or
`monolith`. Each plugin supports one or more types. Each Nomad
client node where you want to mount a volume will need a `node`
plugin instance. Some plugins will also require one or more
`controller` plugin instances to communicate with the storage
provider's APIs. Some plugins can serve as both `controller` and
`node` at the same time, and these are called `monolith`
plugins. Refer to your CSI plugin's documentation.
- `mount_dir` `(string: <required>)` - The directory path inside the
container where the plugin will expect a Unix domain socket for
bidirectional communication with Nomad.
~> **Note:** Plugins running as `node` or `monolith` require root
privileges (or `CAP_SYS_ADMIN` on Linux) to mount volumes on the
host. With the Docker task driver, you can use the `privileged = true`
configuration, but no other default task drivers currently have this
option.
~> **Note:** During node drains, jobs that claim volumes should be
moved before the `node` or `monolith` plugin for those
volumes. Because [`system`][system] jobs are moved last during node drains, you
should run `node` or `monolith` plugins as `system` jobs.
## `csi_plugin` Examples
```hcl
job "plugin-efs" {
datacenters = ["dc1"]
# you can run node plugins as service jobs as well, but running
# as a system job ensures all nodes in the DC have a copy.
type = "system"
group "nodes" {
task "plugin" {
driver = "docker"
config {
image = "amazon/aws-efs-csi-driver:latest"
args = [
"node",
"--endpoint=unix://csi/csi.sock",
"--logtostderr",
"--v=5",
]
# all CSI node plugins will need to run as privileged tasks
# so they can mount volumes to the host. controller plugins
# do not need to be privileged.
privileged = true
}
csi_plugin {
id = "aws-efs0"
type = "node"
mount_dir = "/csi" # this path /csi matches the --endpoint
# argument for the container
}
}
}
}
```
[csi]: https://github.com/container-storage-interface/spec
[csi_volumes]: /docs/job-specification/volume
[system]: /docs/schedulers/#system