github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/website/pages/docs/drivers/external/rkt.mdx (about) 1 --- 2 layout: docs 3 page_title: 'Drivers: Rkt' 4 sidebar_title: 'Rkt <sup>Deprecated</sup> ' 5 description: The rkt task driver is used to run application containers using rkt. 6 --- 7 8 ~> **Deprecation Warning!** 9 Nomad introduced the rkt driver in version 0.2.0. The rkt project had some 10 early adoption; in recent times user adoption has trended away from rkt towards 11 other projects. Project activity has declined and there are unpatched CVEs. 12 The project has been [archived by the CNCF](https://github.com/rkt/rkt/issues/4004#issuecomment-507358362) 13 14 Nomad 0.11 converted the rkt driver to an external driver. We will not prioritize features 15 or pull requests that affect the rkt driver. The external driver is available as an [open source 16 repository](https://github.com/hashicorp/nomad-driver-rkt) for community ownership. 17 18 # Rkt Driver 19 20 Name: `rkt` 21 22 The `rkt` driver provides an interface for using rkt for running 23 application containers. 24 25 ## Task Configuration 26 27 ```hcl 28 task "webservice" { 29 driver = "rkt" 30 31 config { 32 image = "redis:3.2" 33 } 34 } 35 ``` 36 37 The `rkt` driver supports the following configuration in the job spec: 38 39 - `image` - The image to run. May be specified by name, hash, ACI address 40 or docker registry. 41 42 ```hcl 43 config { 44 image = "https://hub.docker.internal/redis:3.2" 45 } 46 ``` 47 48 - `command` - (Optional) A command to execute on the ACI. 49 50 ```hcl 51 config { 52 command = "my-command" 53 } 54 ``` 55 56 - `args` - (Optional) A list of arguments to the optional `command`. References 57 to environment variables or any [interpretable Nomad 58 variables](/docs/runtime/interpolation) will be interpreted before 59 launching the task. 60 61 ```hcl 62 config { 63 args = [ 64 "-bind", "${NOMAD_PORT_http}", 65 "${nomad.datacenter}", 66 "${MY_ENV}", 67 "${meta.foo}", 68 ] 69 } 70 ``` 71 72 - `trust_prefix` - (Optional) The trust prefix to be passed to rkt. Must be 73 reachable from the box running the nomad agent. If not specified, the image is 74 run with `--insecure-options=all`. 75 76 - `insecure_options` - (Optional) List of insecure options for rkt. Consult `rkt --help` 77 for list of supported values. This list overrides the `--insecure-options=all` default when 78 no `trust_prefix` is provided in the job config, which can be effectively used to enforce 79 secure runs, using `insecure_options = ["none"]` option. 80 81 ```hcl 82 config { 83 image = "example.com/image:1.0" 84 insecure_options = ["image", "tls", "ondisk"] 85 } 86 ``` 87 88 - `dns_servers` - (Optional) A list of DNS servers to be used in the container. 89 Alternatively a list containing just `host` or `none`. `host` uses the host's 90 `resolv.conf` while `none` forces use of the image's name resolution configuration. 91 92 - `dns_search_domains` - (Optional) A list of DNS search domains to be used in 93 the containers. 94 95 - `net` - (Optional) A list of networks to be used by the containers 96 97 - `port_map` - (Optional) A key/value map of ports used by the container. The 98 value is the port name specified in the image manifest file. When running 99 Docker images with rkt the port names will be of the form `${PORT}-tcp`. See 100 [networking](#networking) below for more details. 101 102 ```hcl 103 port_map { 104 # If running a Docker image that exposes port 8080 105 app = "8080-tcp" 106 } 107 ``` 108 109 * `debug` - (Optional) Enable rkt command debug option. 110 111 * `no_overlay` - (Optional) When enabled, will use `--no-overlay=true` flag for 'rkt run'. 112 Useful when running jobs on older systems affected by https://github.com/rkt/rkt/issues/1922 113 114 * `volumes` - (Optional) A list of `host_path:container_path[:readOnly]` strings to bind 115 host paths to container paths. 116 Mount is done read-write by default; an optional third parameter `readOnly` can be provided 117 to make it read-only. 118 119 ```hcl 120 config { 121 volumes = ["/path/on/host:/path/in/container", "/readonly/path/on/host:/path/in/container:readOnly"] 122 } 123 ``` 124 125 * `group` - (Optional) Specifies the group that will run the task. Sets the 126 `--group` flag and overrides the group specified by the image. The 127 [`user`][user] may be specified at the task level. 128 129 ## Networking 130 131 The `rkt` can specify `--net` and `--port` for the rkt client. Hence, there are two ways to use host ports by 132 using `--net=host` or `--port=PORT` with your network. 133 134 Example: 135 136 ```hcl 137 task "redis" { 138 # Use rkt to run the task. 139 driver = "rkt" 140 141 config { 142 # Use docker image with port defined 143 image = "docker://redis:latest" 144 port_map { 145 app = "6379-tcp" 146 } 147 } 148 149 service { 150 port = "app" 151 } 152 153 resources { 154 network { 155 mbits = 10 156 port "app" { 157 static = 12345 158 } 159 } 160 } 161 } 162 ``` 163 164 ### Allocating Ports 165 166 You can allocate ports to your task using the port syntax described on the 167 [networking page](/docs/job-specification/network). 168 169 When you use port allocation, the image manifest needs to declare public ports and host has configured network. 170 For more information, please refer to [rkt Networking](https://coreos.com/rkt/docs/latest/networking/overview). 171 172 ## Client Requirements 173 174 The `rkt` driver requires the following: 175 176 - The Nomad client agent to be running as the root user. 177 - rkt to be installed and in your system's `$PATH`. 178 - The `trust_prefix` must be accessible by the node running Nomad. This can be an 179 internal source, private to your cluster, but it must be reachable by the client 180 over HTTP. 181 182 ## Plugin Options 183 184 - `volumes_enabled` - Defaults to `true`. Allows tasks to bind host paths 185 (`volumes`) inside their container. Binding relative paths is always allowed 186 and will be resolved relative to the allocation's directory. 187 188 ## Client Configuration 189 190 ~> Note: client configuration options will soon be deprecated. Please use [plugin options][plugin-options] instead. See the [plugin stanza][plugin-stanza] documentation for more information. 191 192 The `rkt` driver has the following [client configuration 193 options](/docs/configuration/client#options): 194 195 - `rkt.volumes.enabled` - Defaults to `true`. Allows tasks to bind host paths 196 (`volumes`) inside their container. Binding relative paths is always allowed 197 and will be resolved relative to the allocation's directory. 198 199 ## Client Attributes 200 201 The `rkt` driver will set the following client attributes: 202 203 - `driver.rkt` - Set to `1` if rkt is found on the host node. Nomad determines 204 this by executing `rkt version` on the host and parsing the output 205 - `driver.rkt.version` - Version of `rkt` e.g.: `1.27.0`. Note that the minimum required 206 version is `1.27.0` 207 - `driver.rkt.appc.version` - Version of `appc` that `rkt` is using e.g.: `1.1.0` 208 209 Here is an example of using these properties in a job file: 210 211 ```hcl 212 job "docs" { 213 # Only run this job where the rkt version is higher than 0.8. 214 constraint { 215 attribute = "${driver.rkt.version}" 216 operator = ">" 217 value = "1.2" 218 } 219 } 220 ``` 221 222 ## Resource Isolation 223 224 This driver supports CPU and memory isolation by delegating to `rkt`. Network 225 isolation is not supported as of now. 226 227 [user]: /docs/job-specification/task#user 228 [plugin-options]: #plugin-options 229 [plugin-stanza]: /docs/configuration/plugin