github.com/Ilhicas/nomad@v1.0.4-0.20210304152020-e86851182bc3/website/content/docs/drivers/exec.mdx

github.com/Ilhicas/nomad@v1.0.4-0.20210304152020-e86851182bc3/website/content/docs/drivers/exec.mdx (about)

     1  ---
     2  layout: docs
     3  page_title: 'Drivers: Exec'
     4  sidebar_title: Isolated Fork/Exec
     5  description: The Exec task driver is used to run binaries using OS isolation primitives.
     6  ---
     7  
     8  # Isolated Fork/Exec Driver
     9  
    10  Name: `exec`
    11  
    12  The `exec` driver is used to simply execute a particular command for a task.
    13  However, unlike [`raw_exec`](/docs/drivers/raw_exec) it uses the underlying isolation
    14  primitives of the operating system to limit the task's access to resources. While
    15  simple, since the `exec` driver can invoke any command, it can be used to call
    16  scripts or other wrappers which provide higher level features.
    17  
    18  ## Task Configuration
    19  
    20  ```hcl
    21  task "webservice" {
    22    driver = "exec"
    23  
    24    config {
    25      command = "my-binary"
    26      args    = ["-flag", "1"]
    27    }
    28  }
    29  ```
    30  
    31  The `exec` driver supports the following configuration in the job spec:
    32  
    33  - `command` - The command to execute. Must be provided. If executing a binary
    34    that exists on the host, the path must be absolute and within the task's
    35    [chroot](#chroot). If executing a binary that is downloaded from
    36    an [`artifact`](/docs/job-specification/artifact), the path can be
    37    relative from the allocations's root directory.
    38  
    39  - `args` - (Optional) A list of arguments to the `command`. References
    40    to environment variables or any [interpretable Nomad
    41    variables](/docs/runtime/interpolation) will be interpreted before
    42    launching the task.
    43  
    44  - `pid_mode` - (Optional) Set to `"private"` to enable PID namespace isolation for
    45    this task, or `"host"` to disable isolation. If left unset, the behavior is
    46    determined from the [`default_pid_mode`][default_pid_mode] in plugin configuration.
    47  
    48  !> **Warning:** If set to `"host"`, other processes running as the same user will
    49   be able to access sensitive process information like environment variables.
    50  
    51  - `ipc_mode` - (Optional) Set to `"private"` to enable IPC namespace isolation for
    52    this task, or `"host"` to disable isolation. If left unset, the behavior is
    53    determined from the [`default_ipc_mode`][default_ipc_mode] in plugin configuration.
    54  
    55  !> **Warning:** If set to `"host"`, other processes running as the same user will be
    56   able to make use of IPC features, like sending unexpected POSIX signals.
    57  
    58  ## Examples
    59  
    60  To run a binary present on the Node:
    61  
    62  ```hcl
    63  task "example" {
    64    driver = "exec"
    65  
    66    config {
    67      # When running a binary that exists on the host, the path must be absolute.
    68      command = "/bin/sleep"
    69      args    = ["1"]
    70    }
    71  }
    72  ```
    73  
    74  To execute a binary downloaded from an
    75  [`artifact`](/docs/job-specification/artifact):
    76  
    77  ```hcl
    78  task "example" {
    79    driver = "exec"
    80  
    81    config {
    82      command = "name-of-my-binary"
    83    }
    84  
    85    artifact {
    86      source = "https://internal.file.server/name-of-my-binary"
    87      options {
    88        checksum = "sha256:abd123445ds4555555555"
    89      }
    90    }
    91  }
    92  ```
    93  
    94  ## Capabilities
    95  
    96  The `exec` driver implements the following [capabilities](/docs/internals/plugins/task-drivers#capabilities-capabilities-error).
    97  
    98  | Feature              | Implementation |
    99  | -------------------- | -------------- |
   100  | `nomad alloc signal` | true           |
   101  | `nomad alloc exec`   | true           |
   102  | filesystem isolation | chroot         |
   103  | network isolation    | host, group    |
   104  | volume mounting      | all            |
   105  
   106  ## Client Requirements
   107  
   108  The `exec` driver can only be run when on Linux and running Nomad as root.
   109  `exec` is limited to this configuration because currently isolation of resources
   110  is only guaranteed on Linux. Further, the host must have cgroups mounted properly
   111  in order for the driver to work.
   112  
   113  If you are receiving the error:
   114  
   115  ```
   116  * Constraint "missing drivers" filtered <> nodes
   117  ```
   118  
   119  and using the exec driver, check to ensure that you are running Nomad as root.
   120  This also applies for running Nomad in -dev mode.
   121  
   122  ## Plugin Options
   123  
   124  - `default_pid_mode` `(string: optional)` - Defaults to `"private"`. Set to
   125   `"private"` to enable PID namespace isolation for tasks by default, or `"host"` to
   126   disable isolation.
   127  
   128  !> **Warning:** If set to `"host"`, other processes running as the same user will
   129   be able to access sensitive process information like environment variables.
   130  
   131  - `default_ipc_mode` `(string: optional)` - Defaults to `"private"`. Set to
   132  `"private"` to enable IPC namespace isolation for tasks by default,
   133   or `"host"` to disable isolation.
   134  
   135  !> **Warning:** If set to `"host"`, other processes running as the same user will be
   136   able to make use of IPC features, like sending unexpected POSIX signals.
   137  
   138  - `no_pivot_root` `(bool: optional)` - Defaults to `false`. When `true`, the driver uses `chroot`
   139    for file system isolation without `pivot_root`. This is useful for systems
   140    where the root is on a ramdisk.
   141  
   142  ## Client Attributes
   143  
   144  The `exec` driver will set the following client attributes:
   145  
   146  - `driver.exec` - This will be set to "1", indicating the driver is available.
   147  
   148  ## Resource Isolation
   149  
   150  The resource isolation provided varies by the operating system of
   151  the client and the configuration.
   152  
   153  On Linux, Nomad will use cgroups, and a chroot to isolate the resources of a
   154  process and as such the Nomad agent must be run as root. Some Linux
   155  distributions do not boot with all required cgroups enabled by default. You
   156  can see which cgroups are enabled by reading `/proc/cgroups`, and verifying
   157  that all the following cgroups are enabled:
   158  
   159  ```
   160  $ awk '{print $1 " " $4}' /proc/cgroups
   161  #subsys_name enabled
   162  cpuset 1
   163  cpu 1
   164  cpuacct 1
   165  blkio 1
   166  memory 1
   167  devices 1
   168  freezer 1
   169  net_cls 1
   170  perf_event 1
   171  net_prio 1
   172  hugetlb 1
   173  pids 1
   174  ```
   175  
   176  ### Chroot
   177  
   178  The chroot is populated with data in the following directories from the host
   179  machine:
   180  
   181  ```
   182  [
   183    "/bin",
   184    "/etc",
   185    "/lib",
   186    "/lib32",
   187    "/lib64",
   188    "/run/resolvconf",
   189    "/sbin",
   190    "/usr",
   191  ]
   192  ```
   193  
   194  The task's chroot is populated by linking or copying the data from the host into
   195  the chroot. Note that this can take considerable disk space. Since Nomad v0.5.3,
   196  the client manages garbage collection locally which mitigates any issue this may
   197  create.
   198  
   199  This list is configurable through the agent client
   200  [configuration file](/docs/configuration/client#chroot_env).
   201  
   202  [default_pid_mode]: /docs/drivers/exec#default_pid_mode
   203  [default_ipc_mode]: /docs/drivers/exec#default_ipc_mode