github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/plugins/drivers/community/rkt.mdx (about) 1 --- 2 layout: docs 3 page_title: 'Drivers: Rkt' 4 description: The rkt task driver is used to run application containers using rkt. 5 --- 6 7 ~> **Deprecation Warning!** 8 Nomad introduced the rkt driver in version 0.2.0. The rkt project had some 9 early adoption; in recent times user adoption has trended away from rkt towards 10 other projects. Project activity has declined and there are unpatched CVEs. 11 The project has been [archived by the CNCF](https://github.com/rkt/rkt/issues/4004#issuecomment-507358362) 12 13 Nomad 0.11 converted the rkt driver to an external driver. We will not prioritize features 14 or pull requests that affect the rkt driver. The external driver is available as an [open source 15 repository](https://github.com/hashicorp/nomad-driver-rkt) for community ownership. 16 17 # Rkt Driver 18 19 Name: `rkt` 20 21 The `rkt` driver provides an interface for using rkt for running 22 application containers. 23 24 ## Task Configuration 25 26 ```hcl 27 task "webservice" { 28 driver = "rkt" 29 30 config { 31 image = "redis:7" 32 } 33 } 34 ``` 35 36 The `rkt` driver supports the following configuration in the job spec: 37 38 - `image` - The image to run. May be specified by name, hash, ACI address 39 or docker registry. 40 41 ```hcl 42 config { 43 image = "https://hub.docker.internal/redis:7" 44 } 45 ``` 46 47 - `command` - (Optional) A command to execute on the ACI. 48 49 ```hcl 50 config { 51 command = "my-command" 52 } 53 ``` 54 55 - `args` - (Optional) A list of arguments to the optional `command`. References 56 to environment variables or any [interpretable Nomad 57 variables](/docs/runtime/interpolation) will be interpreted before 58 launching the task. 59 60 ```hcl 61 config { 62 args = [ 63 "-bind", "${NOMAD_PORT_http}", 64 "${nomad.datacenter}", 65 "${MY_ENV}", 66 "${meta.foo}", 67 ] 68 } 69 ``` 70 71 - `trust_prefix` - (Optional) The trust prefix to be passed to rkt. Must be 72 reachable from the box running the nomad agent. If not specified, the image is 73 run with `--insecure-options=all`. 74 75 - `insecure_options` - (Optional) List of insecure options for rkt. Consult `rkt --help` 76 for list of supported values. This list overrides the `--insecure-options=all` default when 77 no `trust_prefix` is provided in the job config, which can be effectively used to enforce 78 secure runs, using `insecure_options = ["none"]` option. 79 80 ```hcl 81 config { 82 image = "example.com/image:1.0" 83 insecure_options = ["image", "tls", "ondisk"] 84 } 85 ``` 86 87 - `dns_servers` - (Optional) A list of DNS servers to be used in the container. 88 Alternatively a list containing just `host` or `none`. `host` uses the host's 89 `resolv.conf` while `none` forces use of the image's name resolution configuration. 90 91 - `dns_search_domains` - (Optional) A list of DNS search domains to be used in 92 the containers. 93 94 - `net` - (Optional) A list of networks to be used by the containers 95 96 - `port_map` - (Optional) A key/value map of ports used by the container. The 97 value is the port name specified in the image manifest file. When running 98 Docker images with rkt the port names will be of the form `${PORT}-tcp`. See 99 [networking](#networking) below for more details. 100 101 ```hcl 102 port_map { 103 # If running a Docker image that exposes port 8080 104 app = "8080-tcp" 105 } 106 ``` 107 108 * `debug` - (Optional) Enable rkt command debug option. 109 110 * `no_overlay` - (Optional) When enabled, will use `--no-overlay=true` flag for 'rkt run'. 111 Useful when running jobs on older systems affected by https://github.com/rkt/rkt/issues/1922 112 113 * `volumes` - (Optional) A list of `host_path:container_path[:readOnly]` strings to bind 114 host paths to container paths. 115 Mount is done read-write by default; an optional third parameter `readOnly` can be provided 116 to make it read-only. 117 118 ```hcl 119 config { 120 volumes = ["/path/on/host:/path/in/container", "/readonly/path/on/host:/path/in/container:readOnly"] 121 } 122 ``` 123 124 * `group` - (Optional) Specifies the group that will run the task. Sets the 125 `--group` flag and overrides the group specified by the image. The 126 [`user`][user] may be specified at the task level. 127 128 ## Networking 129 130 The `rkt` can specify `--net` and `--port` for the rkt client. Hence, there are two ways to use host ports by 131 using `--net=host` or `--port=PORT` with your network. 132 133 Example: 134 135 ```hcl 136 task "redis" { 137 # Use rkt to run the task. 138 driver = "rkt" 139 140 config { 141 # Use docker image with port defined 142 image = "docker://redis:latest" 143 port_map { 144 app = "6379-tcp" 145 } 146 } 147 148 service { 149 port = "app" 150 } 151 152 resources { 153 network { 154 port "app" { 155 static = 12345 156 } 157 } 158 } 159 } 160 ``` 161 162 ### Allocating Ports 163 164 You can allocate ports to your task using the port syntax described on the 165 [networking page](/docs/job-specification/network). 166 167 When you use port allocation, the image manifest needs to declare public ports and host has configured network. 168 For more information, please refer to [rkt Networking](https://coreos.com/rkt/docs/latest/networking/overview). 169 170 ## Client Requirements 171 172 The `rkt` driver requires the following: 173 174 - The Nomad client agent to be running as the root user. 175 - rkt to be installed and in your system's `$PATH`. 176 - The `trust_prefix` must be accessible by the node running Nomad. This can be an 177 internal source, private to your cluster, but it must be reachable by the client 178 over HTTP. 179 180 ## Plugin Options 181 182 - `volumes_enabled` - Defaults to `true`. Allows tasks to bind host paths 183 (`volumes`) inside their container. Binding relative paths is always allowed 184 and will be resolved relative to the allocation's directory. 185 186 ## Client Configuration 187 188 ~> Note: client configuration options will soon be deprecated. Please use [plugin options][plugin-options] instead. See the [plugin stanza][plugin-stanza] documentation for more information. 189 190 The `rkt` driver has the following [client configuration 191 options](/docs/configuration/client#options): 192 193 - `rkt.volumes.enabled` - Defaults to `true`. Allows tasks to bind host paths 194 (`volumes`) inside their container. Binding relative paths is always allowed 195 and will be resolved relative to the allocation's directory. 196 197 ## Client Attributes 198 199 The `rkt` driver will set the following client attributes: 200 201 - `driver.rkt` - Set to `1` if rkt is found on the host node. Nomad determines 202 this by executing `rkt version` on the host and parsing the output 203 - `driver.rkt.version` - Version of `rkt` e.g.: `1.27.0`. Note that the minimum required 204 version is `1.27.0` 205 - `driver.rkt.appc.version` - Version of `appc` that `rkt` is using e.g.: `1.1.0` 206 207 Here is an example of using these properties in a job file: 208 209 ```hcl 210 job "docs" { 211 # Only run this job where the rkt version is higher than 0.8. 212 constraint { 213 attribute = "${driver.rkt.version}" 214 operator = ">" 215 value = "1.2" 216 } 217 } 218 ``` 219 220 ## Resource Isolation 221 222 This driver supports CPU and memory isolation by delegating to `rkt`. Network 223 isolation is not supported as of now. 224 225 [user]: /docs/job-specification/task#user 226 [plugin-options]: #plugin-options 227 [plugin-stanza]: /docs/configuration/plugin