github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/website/pages/docs/drivers/external/jail-task-driver.mdx

github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/website/pages/docs/drivers/external/jail-task-driver.mdx (about)

     1  ---
     2  layout: docs
     3  page_title: 'Drivers: jail-task-driver'
     4  sidebar_title: Jailtask driver
     5  description: >-
     6    The Jail task driver is used to run application containers using FreeBSD
     7    jails.
     8  ---
     9  
    10  # Jail task Driver
    11  
    12  Name: `jail-task-driver`
    13  
    14  The Jail task driver provides an interface for using FreeBSD jails for running application
    15  containers. You can download the external jail-task-driver [here][jail-task-driver]. For more detailed instructions on how to set up and use this driver, please refer to the [guide][jail-task-guide].
    16  
    17  ## Task Configuration
    18  
    19  ```hcl
    20  task "http-echo-jail" {
    21  		driver = "jail-task-driver"
    22  		config {
    23  			Path  = "/zroot/iocage/jails/myjail/root"
    24  			Allow_raw_sockets = true
    25  			Allow_chflags     = true
    26  			Ip4_addr          = "em1|192.168.1.102"
    27  			Exec_start        = "/usr/local/bin/http-echo -listen :9999 -text hello"
    28  			Rctl =  {
    29  				Vmemoryuse = {
    30  					Action = "deny"
    31  					Amount = "1G"
    32  					Per = "process"
    33  				}
    34  				Openfiles = {
    35  					Action = "deny"
    36  					Amount = "500"
    37  				}
    38  			}
    39  		}
    40  	}
    41  ```
    42  
    43  The Jail task driver supports most of [JAIL(8)][jail(8)] parameters, for a list of the currently supported parameters, please refer to the [Parameter Documentation][parameter-doc].
    44  
    45  - `Path` - (Optional) The directory which is to be the root of the jail.
    46    Defaults to nomad's allocation directory.
    47  
    48  - `Ip4` - (Optional) Control the availability of IPv4 addresses. Possible values are
    49    **"inherit"** to allow unrestricted access to all system addresses,
    50    **"new"** to restrict addresses via Ip4_addr, and "**disable"** to stop
    51    the jail from using IPv4 entirely.
    52  
    53  ~> Note : Setting the Ip4_addr parameter implies a value of **"new"**
    54  
    55  - `Ip4_addr` - (Optional) A list of IPv4 addresses assigned to the jail. If this is set,
    56    the jail is restricted to using only these addresses. Any attempts to use other addresses fail,
    57    and attempts to use wildcard addresses silently use the jailed address instead. For
    58    IPv4 the first address given will be used as the source address when source address selection on
    59    unbound sockets cannot find a better match. It is only possible to start multiple jails with
    60    the same IP address if none of the jails has more than this
    61    single overlapping IP address assigned to itself.
    62  
    63  - `Allow_raw_sockets` - (Optional) The jail root is allowed to create raw sockets. Setting
    64    this parameter allows utilities like ping(8) and traceroute(8) to operate inside the jail.
    65    If this is set, the source IP addresses are enforced to comply with the IP address bound to the jail,
    66    regardless of whether or not the IP_HDRINCL flag has been set on the socket.
    67    Since raw sockets can be used to configure and interact with various network subsystems, extra caution
    68    should be used where privileged access to jails is given out to untrusted parties.
    69  
    70  ## Resource Isolation
    71  
    72  Resource isolation on jails is enforced by [RCTL(8)][rctl-doc] all parameters for resource control
    73  are supported.
    74  
    75  - `Rctl` - (Optional) Set resource limits on the jail, for a list of currently supported parameters, please refer to the [Parameter Documentation][parameter-doc].
    76  
    77        	* `Vmemoryuse`   - (Optional) Address space limit,in bytes
    78        	* `Cputime`      - (Optional) CPU time, in seconds
    79        	* `Datasize`     - (Optional)  data	size, in bytes
    80        	* `Stacksize`    - (Optional   stack size, in bytes
    81        	* `Coredumpsize` - (Optional)	   core	dump size, in bytes
    82        	* `Memoryuse`    - (Optional)	   resident set size, in bytes
    83        	* `Memorylocked` - (Optional)	   locked memory, in bytes
    84        	* `Maxproc`      - (Optional)		   number of processes
    85        	* `Openfiles`    - (Optional)	   file	descriptor table size
    86        	* `Vmemoryuse`   - (Optional) 	   address space limit,in bytes
    87        	* `Pseudoterminals`  - (Optional)	   number of PTYs
    88        	* `Swapuse`  - (Optional)		   swap	space that may be reserved or used, in bytes
    89        	* `Nthr`  - (Optional)		   number of threads
    90        	* `Msgqqueued`  - (Optional) 	   number of queued SysV messages
    91        	* `Msgqsize`  - (Optional)	   SysV	message	queue size, in bytes
    92        	* `Nmsgq`  - (Optional)		   number of SysV message queues
    93        	* `Nsem`  - (Optional)		   number of SysV semaphores
    94        	* `Nsemop`  - (Optional)		   number of SysV semaphores modified in a single semop(2) call
    95        	* `Nshm`  - (Optional)		   number of SysV shared memory	segments
    96        	* `Shmsize`  - (Optional)		   SysV	shared memory size, in bytes
    97        	* `Wallclock`  - (Optional)	   wallclock time, in seconds
    98        	* `Pcpu`  - (Optional)		   %CPU, in percents of	a single CPU core
    99        	* `Readbps`  - (Optional)		   filesystem reads, in	bytes per second
   100        	* `Writebps`  - (Optional)	   filesystem writes, in bytes per second
   101        	* `Readiops`  - (Optional)	   filesystem reads, in	operations per second
   102        	* `Writeiops`  - (Optional)	   filesystem writes, in operations per	second
   103  
   104  ## Networking
   105  
   106  The job spec could specify the `Ip4addr` parameter to add the jail's ip address to an specific interface at jail
   107  startup or the `Vnet` parameter to create a virtual network stack. Please refer to [JAIL(8)][jail(8)] for more details.
   108  
   109  - `vnet jail` - Example taken from Lucas, Michael W. FreeBSD Mastery: Jails (IT Mastery Book 15).
   110  
   111  ```hcl
   112   task "test01" {
   113        driver = "jail-task-driver"
   114        config {
   115  		Path    = "/zroot/iocage/jails/myjail/root"
   116  		Host_hostname = "nomad00"
   117  		Exec_clean = true
   118  		Exec_start = "sh /etc/rc"
   119  		Exec_stop = "sh /etc/rc.shutdown"
   120  		Mount_devfs = true
   121  		Exec_prestart = "logger trying to start "
   122  		Exec_poststart = "logger jail has started"
   123  		Exec_prestop = "logger shutting down jail "
   124  		Exec_poststop = "logger has shut down jail "
   125  		Exec_consolelog ="/var/tmp/vnet-example"
   126  		Vnet = true
   127  		Vnet_nic = "e0b_loghost"
   128  		Exec_prestart = "/usr/share/examples/jails/jib addm loghost em1"
   129  		Exec_poststop = "/usr/share/examples/jails/jib destroy loghost "
   130        }
   131      }
   132  ```
   133  
   134  ## Client Requirements
   135  
   136  `jail-task-driver` requires the following:
   137  
   138  - 64-bit FreeBSD 12.0-RELEASE host
   139  - The FreeBSD's Nomad binary
   140  - The jail-task-driver binary placed in the [plugin_dir][plugin_dir] directory.
   141  - If resource control is going be used then [RACCT][racct-doc] must be enabled
   142  
   143  [jail-task-driver]: https://github.com/cneira/jail-task-driver/releases
   144  [jail-task-guide]: https://github.com/cneira/jail-task-driver#installation
   145  [jail(8)]: https://www.freebsd.org/cgi/man.cgi?jail(8)
   146  [racct-doc]: https://www.freebsd.org/doc/handbook/security-resourcelimits.html
   147  [rctl-doc]: https://www.freebsd.org/doc/handbook/security-resourcelimits.html
   148  [parameter-doc]: https://github.com/cneira/jail-task-driver/blob/master/Parameters.md
   149  [plugin_dir]: /docs/configuration#plugin_dir