diff --git a/.travis.yml b/.travis.yml index f03d4f361fa..ab571564867 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,6 +17,7 @@ before_install: - sudo apt-get update - sudo apt-get install -y docker-engine - sudo apt-get install -y qemu + - ./scripts/install_rkt.sh - ./scripts/install_consul.sh - ./scripts/install_vault.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index f59547cbbd0..c7a41b48457 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ IMPROVEMENTS: * driver: Export `NOMAD_JOB_NAME` environment variable [GH-1804] * driver/docker: Support Docker volumes [GH-1767] * driver/docker: Allow Docker logging to be configured [GH-1767] + * driver/rkt: Support rkt volumes (rkt >= 1.0.0 required) [GH-1812] BUG FIXES: * agent: Handle the SIGPIPE signal preventing panics on journalctl restarts diff --git a/Vagrantfile b/Vagrantfile index 36853892bdd..cf9f451e999 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -60,6 +60,7 @@ cd /opt/gopath/src/github.com/hashicorp/nomad && make bootstrap # Install rkt, consul and vault bash scripts/install_rkt.sh +bash scripts/install_rkt_vagrant.sh bash scripts/install_consul.sh bash scripts/install_vault.sh diff --git a/client/driver/docker.go b/client/driver/docker.go index 19902d556c7..5e64cd8c689 100644 --- a/client/driver/docker.go +++ b/client/driver/docker.go @@ -64,8 +64,9 @@ const ( dockerSELinuxLabelConfigOption = "docker.volumes.selinuxlabel" // dockerVolumesConfigOption is the key for enabling the use of custom - // bind volumes. - dockerVolumesConfigOption = "docker.volumes.enabled" + // bind volumes to arbitrary host paths. + dockerVolumesConfigOption = "docker.volumes.enabled" + dockerVolumesConfigDefault = true // dockerPrivilegedConfigOption is the key for running containers in // Docker's privileged mode. @@ -369,8 +370,8 @@ func (d *DockerDriver) Fingerprint(cfg *config.Config, node *structs.Node) (bool node.Attributes[dockerDriverAttr] = "1" node.Attributes["driver.docker.version"] = env.Get("Version") - // Advertise if this node supports Docker volumes (by default we do not) - if d.config.ReadBoolDefault(dockerVolumesConfigOption, false) { + // Advertise if this node supports Docker volumes + if d.config.ReadBoolDefault(dockerVolumesConfigOption, dockerVolumesConfigDefault) { node.Attributes["driver."+dockerVolumesConfigOption] = "1" } @@ -397,13 +398,30 @@ func (d *DockerDriver) containerBinds(driverConfig *DockerDriverConfig, alloc *a secretDirBind := fmt.Sprintf("%s:%s", secret, allocdir.TaskSecretsContainerPath) binds := []string{allocDirBind, taskLocalBind, secretDirBind} - volumesEnabled := d.config.ReadBoolDefault(dockerVolumesConfigOption, false) - if len(driverConfig.Volumes) > 0 && !volumesEnabled { - return nil, fmt.Errorf("%s is false; cannot use Docker Volumes: %+q", dockerVolumesConfigOption, driverConfig.Volumes) - } + volumesEnabled := d.config.ReadBoolDefault(dockerVolumesConfigOption, dockerVolumesConfigDefault) + for _, userbind := range driverConfig.Volumes { + parts := strings.Split(userbind, ":") + if len(parts) < 2 { + return nil, fmt.Errorf("invalid docker volume: %q", userbind) + } + + // Resolve dotted path segments + parts[0] = filepath.Clean(parts[0]) + + // Absolute paths aren't always supported + if filepath.IsAbs(parts[0]) { + if !volumesEnabled { + // Disallow mounting arbitrary absolute paths + return nil, fmt.Errorf("%s is false; cannot mount host paths: %+q", dockerVolumesConfigOption, userbind) + } + binds = append(binds, userbind) + continue + } - if len(driverConfig.Volumes) > 0 { - binds = append(binds, driverConfig.Volumes...) + // Relative paths are always allowed as they mount within a container + // Expand path relative to alloc dir + parts[0] = filepath.Join(shared, parts[0]) + binds = append(binds, strings.Join(parts, ":")) } if selinuxLabel := d.config.Read(dockerSELinuxLabelConfigOption); selinuxLabel != "" { diff --git a/client/driver/docker_test.go b/client/driver/docker_test.go index be70f9cc508..4c02905d45f 100644 --- a/client/driver/docker_test.go +++ b/client/driver/docker_test.go @@ -5,7 +5,6 @@ import ( "io/ioutil" "math/rand" "os" - "path" "path/filepath" "reflect" "runtime/debug" @@ -944,19 +943,14 @@ done } } -func setupDockerVolumes(t *testing.T, cfg *config.Config) (*structs.Task, Driver, *ExecContext, string, func()) { +func setupDockerVolumes(t *testing.T, cfg *config.Config, hostpath string) (*structs.Task, Driver, *ExecContext, string, func()) { if !testutil.DockerIsConnected(t) { t.SkipNow() } - tmpvol, err := ioutil.TempDir("", "nomadtest_dockerdriver_volumes") - if err != nil { - t.Fatalf("error creating temporary dir: %v", err) - } - randfn := fmt.Sprintf("test-%d", rand.Int()) - hostpath := path.Join(tmpvol, randfn) - contpath := path.Join("/mnt/vol", randfn) + hostfile := filepath.Join(hostpath, randfn) + containerFile := filepath.Join("/mnt/vol", randfn) task := &structs.Task{ Name: "ls", @@ -964,8 +958,8 @@ func setupDockerVolumes(t *testing.T, cfg *config.Config) (*structs.Task, Driver "image": "busybox", "load": []string{"busybox.tar"}, "command": "touch", - "args": []string{contpath}, - "volumes": []string{fmt.Sprintf("%s:/mnt/vol", tmpvol)}, + "args": []string{containerFile}, + "volumes": []string{fmt.Sprintf("%s:/mnt/vol", hostpath)}, }, LogConfig: &structs.LogConfig{ MaxFiles: 10, @@ -980,7 +974,9 @@ func setupDockerVolumes(t *testing.T, cfg *config.Config) (*structs.Task, Driver execCtx := NewExecContext(allocDir, alloc.ID) cleanup := func() { execCtx.AllocDir.Destroy() - os.RemoveAll(tmpvol) + if filepath.IsAbs(hostpath) { + os.RemoveAll(hostpath) + } } taskEnv, err := GetTaskEnv(allocDir, cfg.Node, task, alloc, "") @@ -993,26 +989,63 @@ func setupDockerVolumes(t *testing.T, cfg *config.Config) (*structs.Task, Driver driver := NewDockerDriver(driverCtx) copyImage(execCtx, task, "busybox.tar", t) - return task, driver, execCtx, hostpath, cleanup + return task, driver, execCtx, hostfile, cleanup } func TestDockerDriver_VolumesDisabled(t *testing.T) { cfg := testConfig() + cfg.Options = map[string]string{dockerVolumesConfigOption: "false"} - task, driver, execCtx, _, cleanup := setupDockerVolumes(t, cfg) - defer cleanup() + { + tmpvol, err := ioutil.TempDir("", "nomadtest_docker_volumesdisabled") + if err != nil { + t.Fatalf("error creating temporary dir: %v", err) + } - _, err := driver.Start(execCtx, task) - if err == nil { - t.Fatalf("Started driver successfully when volumes should have been disabled.") + task, driver, execCtx, _, cleanup := setupDockerVolumes(t, cfg, tmpvol) + defer cleanup() + + if _, err := driver.Start(execCtx, task); err == nil { + t.Fatalf("Started driver successfully when volumes should have been disabled.") + } } + + // Relative paths should still be allowed + { + task, driver, execCtx, fn, cleanup := setupDockerVolumes(t, cfg, ".") + defer cleanup() + + handle, err := driver.Start(execCtx, task) + if err != nil { + t.Fatalf("err: %v", err) + } + defer handle.Kill() + + select { + case res := <-handle.WaitCh(): + if !res.Successful() { + t.Fatalf("unexpected err: %v", res) + } + case <-time.After(time.Duration(tu.TestMultiplier()*10) * time.Second): + t.Fatalf("timeout") + } + + if _, err := ioutil.ReadFile(filepath.Join(execCtx.AllocDir.SharedDir, fn)); err != nil { + t.Fatalf("unexpected error reading %s: %v", fn, err) + } + } + } func TestDockerDriver_VolumesEnabled(t *testing.T) { cfg := testConfig() - cfg.Options = map[string]string{dockerVolumesConfigOption: "true"} - task, driver, execCtx, hostpath, cleanup := setupDockerVolumes(t, cfg) + tmpvol, err := ioutil.TempDir("", "nomadtest_docker_volumesenabled") + if err != nil { + t.Fatalf("error creating temporary dir: %v", err) + } + + task, driver, execCtx, hostpath, cleanup := setupDockerVolumes(t, cfg, tmpvol) defer cleanup() handle, err := driver.Start(execCtx, task) diff --git a/client/driver/rkt.go b/client/driver/rkt.go index ac422ec6e36..735ff20ae7a 100644 --- a/client/driver/rkt.go +++ b/client/driver/rkt.go @@ -21,7 +21,6 @@ import ( "github.com/hashicorp/nomad/client/config" "github.com/hashicorp/nomad/client/driver/executor" dstructs "github.com/hashicorp/nomad/client/driver/structs" - "github.com/hashicorp/nomad/client/fingerprint" cstructs "github.com/hashicorp/nomad/client/structs" "github.com/hashicorp/nomad/helper/discover" "github.com/hashicorp/nomad/helper/fields" @@ -38,11 +37,19 @@ const ( // minRktVersion is the earliest supported version of rkt. rkt added support // for CPU and memory isolators in 0.14.0. We cannot support an earlier // version to maintain an uniform interface across all drivers - minRktVersion = "0.14.0" + minRktVersion = "1.0.0" // The key populated in the Node Attributes to indicate the presence of the // Rkt driver rktDriverAttr = "driver.rkt" + + // rktVolumesConfigOption is the key for enabling the use of custom + // bind volumes. + rktVolumesConfigOption = "rkt.volumes.enabled" + rktVolumesConfigDefault = true + + // rktCmd is the command rkt is installed as. + rktCmd = "rkt" ) // RktDriver is a driver for running images via Rkt @@ -50,7 +57,6 @@ const ( // planned in the future type RktDriver struct { DriverContext - fingerprint.StaticFingerprinter } type RktDriverConfig struct { @@ -61,6 +67,7 @@ type RktDriverConfig struct { DNSServers []string `mapstructure:"dns_servers"` // DNS Server for containers DNSSearchDomains []string `mapstructure:"dns_search_domains"` // DNS Search domains for containers Debug bool `mapstructure:"debug"` // Enable debug option for rkt command + Volumes []string `mapstructure:"volumes"` // Host-Volumes to mount in, syntax: /path/to/host/directory:/destination/path/in/container } // rktHandle is returned from Start/Open as a handle to the PID @@ -142,7 +149,7 @@ func (d *RktDriver) Fingerprint(cfg *config.Config, node *structs.Node) (bool, e return false, nil } - outBytes, err := exec.Command("rkt", "version").Output() + outBytes, err := exec.Command(rktCmd, "version").Output() if err != nil { delete(node.Attributes, rktDriverAttr) return false, nil @@ -163,13 +170,22 @@ func (d *RktDriver) Fingerprint(cfg *config.Config, node *structs.Node) (bool, e minVersion, _ := version.NewVersion(minRktVersion) currentVersion, _ := version.NewVersion(node.Attributes["driver.rkt.version"]) if currentVersion.LessThan(minVersion) { - // Do not allow rkt < 0.14.0 + // Do not allow ancient rkt versions d.logger.Printf("[WARN] driver.rkt: please upgrade rkt to a version >= %s", minVersion) node.Attributes[rktDriverAttr] = "0" } + + // Advertise if this node supports rkt volumes + if d.config.ReadBoolDefault(rktVolumesConfigOption, rktVolumesConfigDefault) { + node.Attributes["driver."+rktVolumesConfigOption] = "1" + } return true, nil } +func (d *RktDriver) Periodic() (bool, time.Duration) { + return true, 15 * time.Second +} + // Run an existing Rkt image. func (d *RktDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle, error) { var driverConfig RktDriverConfig @@ -198,7 +214,7 @@ func (d *RktDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle, e insecure := false if trustPrefix != "" { var outBuf, errBuf bytes.Buffer - cmd := exec.Command("rkt", "trust", "--skip-fingerprint-review=true", fmt.Sprintf("--prefix=%s", trustPrefix), fmt.Sprintf("--debug=%t", debug)) + cmd := exec.Command(rktCmd, "trust", "--skip-fingerprint-review=true", fmt.Sprintf("--prefix=%s", trustPrefix), fmt.Sprintf("--debug=%t", debug)) cmd.Stdout = &outBuf cmd.Stderr = &errBuf if err := cmd.Run(); err != nil { @@ -211,15 +227,50 @@ func (d *RktDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle, e insecure = true } cmdArgs = append(cmdArgs, "run") - cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s", task.Name, ctx.AllocDir.SharedDir)) - cmdArgs = append(cmdArgs, fmt.Sprintf("--mount=volume=%s,target=%s", task.Name, ctx.AllocDir.SharedDir)) + + // Mount /alloc + allocVolName := fmt.Sprintf("%s-%s-alloc", ctx.AllocID, task.Name) + cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s", allocVolName, ctx.AllocDir.SharedDir)) + cmdArgs = append(cmdArgs, fmt.Sprintf("--mount=volume=%s,target=%s", allocVolName, allocdir.SharedAllocContainerPath)) + + // Mount /local + localVolName := fmt.Sprintf("%s-%s-local", ctx.AllocID, task.Name) + cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s", localVolName, filepath.Join(taskDir, allocdir.TaskLocal))) + cmdArgs = append(cmdArgs, fmt.Sprintf("--mount=volume=%s,target=%s", localVolName, allocdir.TaskLocalContainerPath)) + + // Mount /secrets + secretsVolName := fmt.Sprintf("%s-%s-secrets", ctx.AllocID, task.Name) + cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s", secretsVolName, filepath.Join(taskDir, allocdir.TaskSecrets))) + cmdArgs = append(cmdArgs, fmt.Sprintf("--mount=volume=%s,target=%s", secretsVolName, allocdir.TaskSecretsContainerPath)) + + // Mount arbitrary volumes if enabled + if len(driverConfig.Volumes) > 0 { + if enabled := d.config.ReadBoolDefault(rktVolumesConfigOption, rktVolumesConfigDefault); !enabled { + return nil, fmt.Errorf("%s is false; cannot use rkt volumes: %+q", rktVolumesConfigOption, driverConfig.Volumes) + } + + for i, rawvol := range driverConfig.Volumes { + parts := strings.Split(rawvol, ":") + if len(parts) != 2 { + return nil, fmt.Errorf("invalid rkt volume: %q", rawvol) + } + volName := fmt.Sprintf("%s-%s-%d", ctx.AllocID, task.Name, i) + cmdArgs = append(cmdArgs, fmt.Sprintf("--volume=%s,kind=host,source=%s", volName, parts[0])) + cmdArgs = append(cmdArgs, fmt.Sprintf("--mount=volume=%s,target=%s", volName, parts[1])) + } + } + cmdArgs = append(cmdArgs, img) - if insecure == true { + if insecure { cmdArgs = append(cmdArgs, "--insecure-options=all") } cmdArgs = append(cmdArgs, fmt.Sprintf("--debug=%t", debug)) // Inject environment variables + d.taskEnv.SetAllocDir(allocdir.SharedAllocContainerPath) + d.taskEnv.SetTaskLocalDir(allocdir.TaskLocalContainerPath) + d.taskEnv.SetTaskLocalDir(allocdir.TaskSecretsContainerPath) + d.taskEnv.Build() for k, v := range d.taskEnv.EnvMap() { cmdArgs = append(cmdArgs, fmt.Sprintf("--set-env=%v=%v", k, v)) } @@ -295,7 +346,7 @@ func (d *RktDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle, e return nil, fmt.Errorf("failed to set executor context: %v", err) } - absPath, err := GetAbsolutePath("rkt") + absPath, err := GetAbsolutePath(rktCmd) if err != nil { return nil, err } diff --git a/client/driver/rkt_test.go b/client/driver/rkt_test.go index 6418320e36d..36a494c83f9 100644 --- a/client/driver/rkt_test.go +++ b/client/driver/rkt_test.go @@ -12,7 +12,6 @@ import ( "time" "github.com/hashicorp/nomad/client/config" - "github.com/hashicorp/nomad/client/driver/env" "github.com/hashicorp/nomad/nomad/structs" "github.com/hashicorp/nomad/testutil" @@ -171,7 +170,7 @@ func TestRktDriver_Start_Wait(t *testing.T) { if !res.Successful() { t.Fatalf("err: %v", res) } - case <-time.After(time.Duration(testutil.TestMultiplier()*5) * time.Second): + case <-time.After(time.Duration(testutil.TestMultiplier()*15) * time.Second): t.Fatalf("timeout") } } @@ -223,7 +222,7 @@ func TestRktDriver_Start_Wait_Skip_Trust(t *testing.T) { if !res.Successful() { t.Fatalf("err: %v", res) } - case <-time.After(time.Duration(testutil.TestMultiplier()*5) * time.Second): + case <-time.After(time.Duration(testutil.TestMultiplier()*15) * time.Second): t.Fatalf("timeout") } } @@ -237,6 +236,12 @@ func TestRktDriver_Start_Wait_AllocDir(t *testing.T) { exp := []byte{'w', 'i', 'n'} file := "output.txt" + tmpvol, err := ioutil.TempDir("", "nomadtest_rktdriver_volumes") + if err != nil { + t.Fatalf("error creating temporary dir: %v", err) + } + defer os.RemoveAll(tmpvol) + hostpath := filepath.Join(tmpvol, file) task := &structs.Task{ Name: "alpine", @@ -245,8 +250,9 @@ func TestRktDriver_Start_Wait_AllocDir(t *testing.T) { "command": "/bin/sh", "args": []string{ "-c", - fmt.Sprintf(`echo -n %s > ${%s}/%s`, string(exp), env.AllocDir, file), + fmt.Sprintf(`echo -n %s > foo/%s`, string(exp), file), }, + "volumes": []string{fmt.Sprintf("%s:/foo", tmpvol)}, }, LogConfig: &structs.LogConfig{ MaxFiles: 10, @@ -276,13 +282,12 @@ func TestRktDriver_Start_Wait_AllocDir(t *testing.T) { if !res.Successful() { t.Fatalf("err: %v", res) } - case <-time.After(time.Duration(testutil.TestMultiplier()*5) * time.Second): + case <-time.After(time.Duration(testutil.TestMultiplier()*15) * time.Second): t.Fatalf("timeout") } // Check that data was written to the shared alloc directory. - outputFile := filepath.Join(execCtx.AllocDir.SharedDir, file) - act, err := ioutil.ReadFile(outputFile) + act, err := ioutil.ReadFile(hostpath) if err != nil { t.Fatalf("Couldn't read expected output: %v", err) } diff --git a/scripts/install_rkt.sh b/scripts/install_rkt.sh index 9c3b60c1d60..22df0a5cf5c 100755 --- a/scripts/install_rkt.sh +++ b/scripts/install_rkt.sh @@ -2,29 +2,27 @@ set -ex -RKT_VERSION="v1.5.1" -RKT_SHA512="8163ca59fc8c44c9c2997431d16274d81d2e82ff2956c860607f4c111de744b78cdce716f8afbacf7173e0cdce25deac73ec95a30a8849bbf58d35faeb84e398" -DEST_DIR="/usr/local/bin" +RKT_VERSION="v1.17.0" +RKT_SHA512="30fd15716e148afa34ed28e6d5d778226e5e9761e9df3eb98f397cb2a7f3e3fc78e3dad2b717eee4157afc58183778cb1872aa82f3d05cc2bc9fb41193e81a7f" +CMD="cp" -sudo mkdir -p /etc/rkt/net.d -echo '{"name": "default", "type": "ptp", "ipMasq": false, "ipam": { "type": "host-local", "subnet": "172.16.28.0/24", "routes": [ { "dst": "0.0.0.0/0" } ] } }' | sudo tee -a /etc/rkt/net.d/99-network.conf +if [ ! -v DEST_DIR ]; then + DEST_DIR="/usr/local/bin" + CMD="sudo cp" +fi if [ ! -d "rkt-${RKT_VERSION}" ]; then printf "rkt-%s/ doesn't exist\n" "${RKT_VERSION}" if [ ! -f "rkt-${RKT_VERSION}.tar.gz" ]; then printf "Fetching rkt-%s.tar.gz\n" "${RKT_VERSION}" + echo "$RKT_SHA512 rkt-${RKT_VERSION}.tar.gz" > rkt-$RKT_VERSION.tar.gz.sha512sum wget https://github.com/coreos/rkt/releases/download/$RKT_VERSION/rkt-$RKT_VERSION.tar.gz - expected_version=$(printf 'SHA512(rkt-%s.tar.gz)= %s' "${RKT_VERSION}" "${RKT_SHA512}") - actual_version=$(openssl sha512 rkt-${RKT_VERSION}.tar.gz) - if [ "${expected_version}" != "${actual_version}" ]; then - printf "SHA512 of rkt-%s failed\n" "${RKT_VERSION}" - exit 1 - fi + sha512sum --check rkt-$RKT_VERSION.tar.gz.sha512sum tar xzvf rkt-$RKT_VERSION.tar.gz fi fi -sudo cp rkt-$RKT_VERSION/rkt $DEST_DIR -sudo cp rkt-$RKT_VERSION/*.aci $DEST_DIR +$CMD rkt-$RKT_VERSION/rkt $DEST_DIR +$CMD rkt-$RKT_VERSION/*.aci $DEST_DIR rkt version diff --git a/scripts/install_rkt_vagrant.sh b/scripts/install_rkt_vagrant.sh new file mode 100755 index 00000000000..679b6e15304 --- /dev/null +++ b/scripts/install_rkt_vagrant.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +set -ex + +# Configure rkt networking +sudo mkdir -p /etc/rkt/net.d +echo '{"name": "default", "type": "ptp", "ipMasq": false, "ipam": { "type": "host-local", "subnet": "172.16.28.0/24", "routes": [ { "dst": "0.0.0.0/0" } ] } }' | sudo tee -a /etc/rkt/net.d/99-network.conf + diff --git a/scripts/test.sh b/scripts/test.sh index d7058fdc1d3..f2baeba241f 100755 --- a/scripts/test.sh +++ b/scripts/test.sh @@ -12,6 +12,6 @@ go build -tags "nomad_test" -o $TEMPDIR/nomad || exit 1 # Run the tests echo "--> Running tests" GOBIN="`which go`" -sudo -E PATH=$TEMPDIR:$PATH -E GOPATH=$GOPATH \ +sudo -E PATH=$TEMPDIR:$PATH -E GOPATH=$GOPATH -E NOMAD_TEST_RKT=1 \ $GOBIN test -tags "nomad_test" ${GOTEST_FLAGS:--cover -timeout=900s} $($GOBIN list ./... | grep -v /vendor/) diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md index 0b05dabbdd1..2372cb4ea03 100644 --- a/website/source/docs/drivers/docker.html.md +++ b/website/source/docs/drivers/docker.html.md @@ -162,12 +162,19 @@ The `docker` driver supports the following configuration in the job spec: ``` * `volumes` - (Optional) A list of `host_path:container_path` strings to bind - host paths to container paths. Can only be run on clients with the - `docker.volumes.enabled` option set to true. + host paths to container paths. Mounting host paths outside of the alloc + directory tasks normally have access to can be disabled on clients by setting + the `docker.volumes.enabled` option set to false. ```hcl config { - volumes = ["/path/on/host:/path/in/container"] + volumes = [ + # Use absolute paths to mount arbitrary paths on the host + "/path/on/host:/path/in/container", + + # Use relative paths to rebind paths already in the allocation dir + "relative/to/alloc:/also/in/container" + ] } ``` @@ -315,7 +322,7 @@ Some networking modes like `container` or `none` will require coordination outside of Nomad. First-class support for these options may be improved later through Nomad plugins or dynamic job configuration. -## Host Requirements +## Client Requirements Nomad requires Docker to be installed and running on the host alongside the Nomad agent. Nomad was developed against Docker `1.8.2` and `1.9`. @@ -333,7 +340,7 @@ user to the `docker` group so you can run Nomad without root: For the best performance and security features you should use recent versions of the Linux Kernel and Docker daemon. -## Agent Configuration +## Client Configuration The `docker` driver has the following [client configuration options](/docs/agent/config.html#options): @@ -363,9 +370,9 @@ options](/docs/agent/config.html#options): * `docker.cleanup.image` Defaults to `true`. Changing this to `false` will prevent Nomad from removing images from stopped tasks. -* `docker.volumes.enabled`: Defaults to `false`. Allows tasks to bind host - paths (`volumes`) or other containers (`volums_from`) inside their container. - Disabled by default as it removes the isolation between containers' data. +* `docker.volumes.enabled`: Defaults to `true`. Allows tasks to bind host paths + (`volumes`) inside their container. Binding relative paths is always allowed + and will be resolved relative to the allocation's directory. * `docker.volumes.selinuxlabel`: Allows the operator to set a SELinux label to the allocation and task local bind-mounts to containers. If used @@ -392,7 +399,7 @@ client { } ``` -## Agent Attributes +## Client Attributes The `docker` driver will set the following client attributes: diff --git a/website/source/docs/drivers/rkt.html.md b/website/source/docs/drivers/rkt.html.md index 6f83e636a48..2056c76bcfa 100644 --- a/website/source/docs/drivers/rkt.html.md +++ b/website/source/docs/drivers/rkt.html.md @@ -75,10 +75,14 @@ The `rkt` driver supports the following configuration in the job spec: * `debug` - (Optional) Enable rkt command debug option. -## Task Directories +* `volumes` - (Optional) A list of `host_path:container_path` strings to bind + host paths to container paths. -The `rkt` driver currently does not support mounting of the `alloc/` and `local/` directories. -Once support is added, version `v0.10.0` or above of `rkt` will be required. + ```hcl + config { + volumes = ["/path/on/host:/path/in/container"] + } + ``` ## Client Requirements @@ -87,15 +91,25 @@ The `trust_prefix` must be accessible by the node running Nomad. This can be an internal source, private to your cluster, but it must be reachable by the client over HTTP. +## Client Configuration + +The `rkt` driver has the following [client configuration +options](/docs/agent/config.html#options): + +* `rkt.volumes.enabled`: Defaults to `true`. Allows tasks to bind host paths + (`volumes`) inside their container. Binding relative paths is always allowed + and will be resolved relative to the allocation's directory. + + ## Client Attributes The `rkt` driver will set the following client attributes: * `driver.rkt` - Set to `1` if rkt is found on the host node. Nomad determines -this by executing `rkt version` on the host and parsing the output -* `driver.rkt.version` - Version of `rkt` eg: `0.8.1`. Note that the minimum required -version is `0.14.0` -* `driver.rkt.appc.version` - Version of `appc` that `rkt` is using eg: `0.8.1` + this by executing `rkt version` on the host and parsing the output +* `driver.rkt.version` - Version of `rkt` eg: `1.1.0`. Note that the minimum required + version is `1.0.0` +* `driver.rkt.appc.version` - Version of `appc` that `rkt` is using eg: `1.1.0` Here is an example of using these properties in a job file: @@ -105,7 +119,7 @@ job "docs" { constraint { attribute = "${driver.rkt.version}" operator = ">" - value = "0.8" + value = "1.2" } } ```