github.com/smintz/nomad@v0.8.3/website/source/docs/drivers/docker.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Drivers: Docker" 4 sidebar_current: "docs-drivers-docker" 5 description: |- 6 The Docker task driver is used to run Docker based tasks. 7 --- 8 9 # Docker Driver 10 11 Name: `docker` 12 13 The `docker` driver provides a first-class Docker workflow on Nomad. The Docker 14 driver handles downloading containers, mapping ports, and starting, watching, 15 and cleaning up after containers. 16 17 ## Task Configuration 18 19 ```hcl 20 task "webservice" { 21 driver = "docker" 22 23 config { 24 image = "redis:3.2" 25 labels { 26 group = "webservice-cache" 27 } 28 } 29 } 30 ``` 31 32 The `docker` driver supports the following configuration in the job spec. Only 33 `image` is required. 34 35 * `image` - The Docker image to run. The image may include a tag or custom URL 36 and should include `https://` if required. By default it will be fetched from 37 Docker Hub. If the tag is omitted or equal to `latest` the driver will always 38 try to pull the image. If the image to be pulled exists in a registry that 39 requires authentication credentials must be provided to Nomad. Please see the 40 [Authentication section](#authentication). 41 42 ```hcl 43 config { 44 image = "https://hub.docker.internal/redis:3.2" 45 } 46 ``` 47 48 * `args` - (Optional) A list of arguments to the optional `command`. If no 49 `command` is specified, the arguments are passed directly to the container. 50 References to environment variables or any [interpretable Nomad 51 variables](/docs/runtime/interpolation.html) will be interpreted before 52 launching the task. For example: 53 54 ```hcl 55 config { 56 args = [ 57 "-bind", "${NOMAD_PORT_http}", 58 "${nomad.datacenter}", 59 "${MY_ENV}", 60 "${meta.foo}", 61 ] 62 } 63 ``` 64 65 * `auth` - (Optional) Provide authentication for a private registry (see below). 66 67 * `auth_soft_fail` `(bool: false)` - Don't fail the task on an auth failure. 68 Attempt to continue without auth. 69 70 * `command` - (Optional) The command to run when starting the container. 71 72 ```hcl 73 config { 74 command = "my-command" 75 } 76 ``` 77 78 * `dns_search_domains` - (Optional) A list of DNS search domains for the container 79 to use. 80 81 * `dns_options` - (Optional) A list of DNS options for the container to use. 82 83 * `dns_servers` - (Optional) A list of DNS servers for the container to use 84 (e.g. ["8.8.8.8", "8.8.4.4"]). Requires Docker v1.10 or greater. 85 86 * `entrypoint` - (Optional) A string list overriding the image's entrypoint. 87 88 * `extra_hosts` - (Optional) A list of hosts, given as host:IP, to be added to 89 `/etc/hosts`. 90 91 * `force_pull` - (Optional) `true` or `false` (default). Always pull latest image 92 instead of using existing local image. Should be set to `true` if repository tags 93 are mutable. 94 95 * `hostname` - (Optional) The hostname to assign to the container. When 96 launching more than one of a task (using `count`) with this option set, every 97 container the task starts will have the same hostname. 98 99 * `interactive` - (Optional) `true` or `false` (default). Keep STDIN open on 100 the container. 101 102 * `sysctl` - (Optional) A key-value map of sysctl configurations to set to the 103 containers on start. 104 105 ```hcl 106 config { 107 sysctl { 108 net.core.somaxconn = "16384" 109 } 110 } 111 ``` 112 113 * `ulimit` - (Optional) A key-value map of ulimit configurations to set to the 114 containers on start. 115 116 ```hcl 117 config { 118 ulimit { 119 nproc = "4242" 120 nofile = "2048:4096" 121 } 122 } 123 ``` 124 125 * `privileged` - (Optional) `true` or `false` (default). Privileged mode gives 126 the container access to devices on the host. Note that this also requires the 127 nomad agent and docker daemon to be configured to allow privileged 128 containers. 129 130 * `ipc_mode` - (Optional) The IPC mode to be used for the container. The default 131 is `none` for a private IPC namespace. Other values are `host` for sharing 132 the host IPC namespace or the name or id of an existing container. Note that 133 it is not possible to refer to Docker containers started by Nomad since their 134 names are not known in advance. Note that setting this option also requires the 135 Nomad agent to be configured to allow privileged containers. 136 137 * `ipv4_address` - (Optional) The IPv4 address to be used for the container when 138 using user defined networks. Requires Docker 1.13 or greater. 139 140 * `ipv6_address` - (Optional) The IPv6 address to be used for the container when 141 using user defined networks. Requires Docker 1.13 or greater. 142 143 * `labels` - (Optional) A key-value map of labels to set to the containers on 144 start. 145 146 ```hcl 147 config { 148 labels { 149 foo = "bar" 150 zip = "zap" 151 } 152 } 153 ``` 154 155 * `load` - (Optional) Load an image from a `tar` archive file instead of from a 156 remote repository. Equivalent to the `docker load -i <filename>` command. 157 158 ```hcl 159 artifact { 160 source = "http://path.to/redis.tar" 161 } 162 config { 163 load = "redis.tar" 164 image = "redis" 165 } 166 ``` 167 168 * `logging` - (Optional) A key-value map of Docker logging options. The default 169 value is `syslog`. 170 171 ```hcl 172 config { 173 logging { 174 type = "fluentd" 175 config { 176 fluentd-address = "localhost:24224" 177 tag = "your_tag" 178 } 179 } 180 } 181 ``` 182 183 * `mac_address` - (Optional) The MAC address for the container to use (e.g. 184 "02:68:b3:29:da:98"). 185 186 * `network_aliases` - (Optional) A list of network-scoped aliases, provide a way for a 187 container to be discovered by an alternate name by any other container within 188 the scope of a particular network. Network-scoped alias is supported only for 189 containers in user defined networks 190 191 ```hcl 192 config { 193 network_mode = "user-network" 194 network_aliases = [ 195 "${NOMAD_TASK_NAME}", 196 "${NOMAD_TASK_NAME}-${NOMAD_ALLOC_INDEX}" 197 ] 198 } 199 ``` 200 201 * `network_mode` - (Optional) The network mode to be used for the container. In 202 order to support userspace networking plugins in Docker 1.9 this accepts any 203 value. The default is `bridge` for all operating systems but Windows, which 204 defaults to `nat`. Other networking modes may not work without additional 205 configuration on the host (which is outside the scope of Nomad). Valid values 206 pre-docker 1.9 are `default`, `bridge`, `host`, `none`, or `container:name`. 207 208 * `pid_mode` - (Optional) `host` or not set (default). Set to `host` to share 209 the PID namespace with the host. Note that this also requires the Nomad agent 210 to be configured to allow privileged containers. 211 See below for more details. 212 213 * `port_map` - (Optional) A key-value map of port labels (see below). 214 215 * `security_opt` - (Optional) A list of string flags to pass directly to 216 [`--security-opt`](https://docs.docker.com/engine/reference/run/#security-configuration). 217 For example: 218 219 220 ```hcl 221 config { 222 security_opt = [ 223 "credentialspec=file://gmsaUser.json", 224 ] 225 } 226 ``` 227 228 * `shm_size` - (Optional) The size (bytes) of /dev/shm for the container. 229 230 * `SSL` - (Optional) If this is set to true, Nomad uses SSL to talk to the 231 repository. The default value is `true`. **Deprecated as of 0.5.3** 232 233 * `tty` - (Optional) `true` or `false` (default). Allocate a pseudo-TTY for the 234 container. 235 236 * `uts_mode` - (Optional) `host` or not set (default). Set to `host` to share 237 the UTS namespace with the host. Note that this also requires the Nomad agent 238 to be configured to allow privileged containers. 239 240 * `userns_mode` - (Optional) `host` or not set (default). Set to `host` to use 241 the host's user namespace when user namespace remapping is enabled on the 242 docker daemon. 243 244 * `volumes` - (Optional) A list of `host_path:container_path` strings to bind 245 host paths to container paths. Mounting host paths outside of the allocation 246 directory can be disabled on clients by setting the `docker.volumes.enabled` 247 option set to false. This will limit volumes to directories that exist inside 248 the allocation directory. 249 250 ```hcl 251 config { 252 volumes = [ 253 # Use absolute paths to mount arbitrary paths on the host 254 "/path/on/host:/path/in/container", 255 256 # Use relative paths to rebind paths already in the allocation dir 257 "relative/to/task:/also/in/container" 258 ] 259 } 260 ``` 261 262 * `volume_driver` - (Optional) The name of the volume driver used to mount 263 volumes. Must be used along with `volumes`. 264 Using a `volume_driver` also allows to use `volumes` with a named volume as 265 well as absolute paths. If `docker.volumes.enabled` is false then volume 266 drivers are disallowed. 267 268 ```hcl 269 config { 270 volumes = [ 271 # Use named volume created outside nomad. 272 "name-of-the-volume:/path/in/container" 273 ] 274 # Name of the Docker Volume Driver used by the container 275 volume_driver = "pxd" 276 } 277 ``` 278 279 * `work_dir` - (Optional) The working directory inside the container. 280 281 * `mounts` - (Optional) A list of 282 [mounts](https://docs.docker.com/engine/reference/commandline/service_create/#add-bind-mounts-or-volumes) 283 to be mounted into the container. Only volume type mounts are supported. 284 285 ```hcl 286 config { 287 mounts = [ 288 { 289 target = "/path/in/container" 290 source = "name-of-volume" 291 readonly = false 292 volume_options { 293 no_copy = false 294 labels { 295 foo = "bar" 296 } 297 driver_config { 298 name = "pxd" 299 options = { 300 foo = "bar" 301 } 302 } 303 } 304 } 305 ] 306 } 307 ``` 308 * `devices` - (Optional) A list of 309 [devices](https://docs.docker.com/engine/reference/commandline/run/#add-host-device-to-container-device) 310 to be exposed the container. `host_path` is the only required field. By default, the container will be able to 311 `read`, `write` and `mknod` these devices. Use the optional `cgroup_permissions` field to restrict permissions. 312 313 ```hcl 314 config { 315 devices = [ 316 { 317 host_path = "/dev/sda1" 318 container_path = "/dev/xvdc" 319 cgroup_permissions = "r" 320 }, 321 { 322 host_path = "/dev/sda2" 323 container_path = "/dev/xvdd" 324 } 325 ] 326 } 327 ``` 328 329 * `cap_add` - (Optional) A list of Linux capabilities as strings to pass directly to 330 [`--cap-add`](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). 331 Effective capabilities (computed from `cap_add` and `cap_drop`) have to match the configured whitelist. 332 The whitelist can be customized using the `docker.caps.whitelist` key in the client node's configuration. 333 For example: 334 335 336 ```hcl 337 config { 338 cap_add = [ 339 "SYS_TIME", 340 ] 341 } 342 ``` 343 344 * `cap_drop` - (Optional) A list of Linux capabilities as strings to pass directly to 345 [`--cap-drop`](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). 346 Effective capabilities (computed from `cap_add` and `cap_drop`) have to match the configured whitelist. 347 The whitelist can be customized using the `docker.caps.whitelist` key in the client node's configuration. 348 For example: 349 350 351 ```hcl 352 config { 353 cap_drop = [ 354 "MKNOD", 355 ] 356 } 357 ``` 358 359 * `cpu_hard_limit` - (Optional) `true` or `false` (default). Use hard CPU 360 limiting instead of soft limiting. By default this is `false` which means 361 soft limiting is used and containers are able to burst above their CPU limit 362 when there is idle capacity. 363 364 * `advertise_ipv6_address` - (Optional) `true` or `false` (default). Use the container's 365 IPv6 address (GlobalIPv6Address in Docker) when registering services and checks. 366 See [IPv6 Docker containers](/docs/job-specification/service.html#IPv6 Docker containers) for details. 367 368 * `readonly_rootfs` - (Optional) `true` or `false` (default). Mount 369 the container's filesystem as read only. 370 371 ### Container Name 372 373 Nomad creates a container after pulling an image. Containers are named 374 `{taskName}-{allocId}`. This is necessary in order to place more than one 375 container from the same task on a host (e.g. with count > 1). This also means 376 that each container's name is unique across the cluster. 377 378 This is not configurable. 379 380 ### Authentication 381 382 If you want to pull from a private repo (for example on dockerhub or quay.io), 383 you will need to specify credentials in your job via: 384 385 * the `auth` option in the task config. 386 387 * by storing explicit repository credentials or by specifying Docker 388 `credHelpers` in a file and setting the [docker.auth.config](#auth_file) 389 value on the client. 390 391 * by specifying a [docker.auth.helper](#auth_helper) on the client 392 393 The `auth` object supports the following keys: 394 395 * `username` - (Optional) The account username. 396 397 * `password` - (Optional) The account password. 398 399 * `email` - (Optional) The account email. 400 401 * `server_address` - (Optional) The server domain/IP without the protocol. 402 Docker Hub is used by default. 403 404 Example task-config: 405 406 ```hcl 407 task "example" { 408 driver = "docker" 409 410 config { 411 image = "secret/service" 412 413 auth { 414 username = "dockerhub_user" 415 password = "dockerhub_password" 416 } 417 } 418 } 419 ``` 420 421 Example docker-config, using two helper scripts in $PATH, 422 "docker-credential-ecr" and "docker-credential-vault": 423 424 ```json 425 { 426 "auths": { 427 "internal.repo": { "auth": "`echo -n '<username>:<password>' | base64 -w0`" } 428 }, 429 "credHelpers": { 430 "<XYZ>.dkr.ecr.<region>.amazonaws.com": "ecr-login" 431 }, 432 "credsStore": "secretservice" 433 } 434 ``` 435 436 Example agent configuration, using a helper script "docker-credential-ecr" in 437 $PATH 438 439 ```hcl 440 client { 441 enabled = true 442 options { 443 "docker.auth.helper" = "ecr" 444 } 445 } 446 ``` 447 !> **Be Careful!** At this time these credentials are stored in Nomad in plain 448 text. Secrets management will be added in a later release. 449 450 ## Networking 451 452 Docker supports a variety of networking configurations, including using host 453 interfaces, SDNs, etc. Nomad uses `bridged` networking by default, like Docker. 454 455 You can specify other networking options, including custom networking plugins 456 in Docker 1.9. **You may need to perform additional configuration on the host 457 in order to make these work.** This additional configuration is outside the 458 scope of Nomad. 459 460 ### Allocating Ports 461 462 You can allocate ports to your task using the port syntax described on the 463 [networking page](/docs/job-specification/network.html). Here is a recap: 464 465 ```hcl 466 task "example" { 467 driver = "docker" 468 469 resources { 470 network { 471 port "http" {} 472 port "https" {} 473 } 474 } 475 } 476 ``` 477 478 ### Forwarding and Exposing Ports 479 480 A Docker container typically specifies which port a service will listen on by 481 specifying the `EXPOSE` directive in the `Dockerfile`. 482 483 Because dynamic ports will not match the ports exposed in your Dockerfile, 484 Nomad will automatically expose all of the ports it allocates to your 485 container. 486 487 These ports will be identified via environment variables. For example: 488 489 ```hcl 490 port "http" {} 491 ``` 492 493 If Nomad allocates port `23332` to your task for `http`, `23332` will be 494 automatically exposed and forwarded to your container, and the driver will set 495 an environment variable `NOMAD_PORT_http` with the value `23332` that you can 496 read inside your container. 497 498 This provides an easy way to use the `host` networking option for better 499 performance. 500 501 ### Using the Port Map 502 503 If you prefer to use the traditional port-mapping method, you can specify the 504 `port_map` option in your job specification. It looks like this: 505 506 ```hcl 507 task "example" { 508 driver = "docker" 509 510 config { 511 image = "redis" 512 513 port_map { 514 redis = 6379 515 } 516 } 517 518 resources { 519 network { 520 mbits = 20 521 port "redis" {} 522 } 523 } 524 } 525 ``` 526 527 If Nomad allocates port `23332` to your task, the Docker driver will 528 automatically setup the port mapping from `23332` on the host to `6379` in your 529 container, so it will just work! 530 531 Note that by default this only works with `bridged` networking mode. It may 532 also work with custom networking plugins which implement the same API for 533 expose and port forwarding. 534 535 ### Advertising Container IPs 536 537 *New in Nomad 0.6.* 538 539 When using network plugins like `weave` that assign containers a routable IP 540 address, that address will automatically be used in any `service` 541 advertisements for the task. You may override what address is advertised by 542 using the `address_mode` parameter on a `service`. See 543 [service](/docs/job-specification/service.html) for details. 544 545 ### Networking Protocols 546 547 The Docker driver configures ports on both the `tcp` and `udp` protocols. 548 549 This is not configurable. 550 551 ### Other Networking Modes 552 553 Some networking modes like `container` or `none` will require coordination 554 outside of Nomad. First-class support for these options may be improved later 555 through Nomad plugins or dynamic job configuration. 556 557 ## Client Requirements 558 559 Nomad requires Docker to be installed and running on the host alongside the 560 Nomad agent. Nomad was developed against Docker `1.8.2` and `1.9`. 561 562 By default Nomad communicates with the Docker daemon using the daemon's Unix 563 socket. Nomad will need to be able to read/write to this socket. If you do not 564 run Nomad as root, make sure you add the Nomad user to the Docker group so 565 Nomad can communicate with the Docker daemon. 566 567 For example, on Ubuntu you can use the `usermod` command to add the `vagrant` 568 user to the `docker` group so you can run Nomad without root: 569 570 sudo usermod -G docker -a vagrant 571 572 For the best performance and security features you should use recent versions 573 of the Linux Kernel and Docker daemon. 574 575 ## Client Configuration 576 577 The `docker` driver has the following [client configuration 578 options](/docs/agent/configuration/client.html#options): 579 580 * `docker.endpoint` - If using a non-standard socket, HTTP or another location, 581 or if TLS is being used, `docker.endpoint` must be set. If unset, Nomad will 582 attempt to instantiate a Docker client using the `DOCKER_HOST` environment 583 variable and then fall back to the default listen address for the given 584 operating system. Defaults to `unix:///var/run/docker.sock` on Unix platforms 585 and `npipe:////./pipe/docker_engine` for Windows. 586 587 * `docker.auth.config` <a id="auth_file"></a>- Allows an operator to specify a 588 JSON file which is in the dockercfg format containing authentication 589 information for a private registry, from either (in order) `auths`, 590 `credHelpers` or `credsStore`. 591 592 * `docker.auth.helper` <a id="auth_helper"></a>- Allows an operator to specify 593 a [credsStore](https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol) 594 -like script on $PATH to lookup authentication information from external 595 sources. The script's name must begin with `docker-credential-` and this 596 option should include only the basename of the script, not the path. 597 598 * `docker.tls.cert` - Path to the server's certificate file (`.pem`). Specify 599 this along with `docker.tls.key` and `docker.tls.ca` to use a TLS client to 600 connect to the docker daemon. `docker.endpoint` must also be specified or 601 this setting will be ignored. 602 603 * `docker.tls.key` - Path to the client's private key (`.pem`). Specify this 604 along with `docker.tls.cert` and `docker.tls.ca` to use a TLS client to 605 connect to the docker daemon. `docker.endpoint` must also be specified or 606 this setting will be ignored. 607 608 * `docker.tls.ca` - Path to the server's CA file (`.pem`). Specify this along 609 with `docker.tls.cert` and `docker.tls.key` to use a TLS client to connect to 610 the docker daemon. `docker.endpoint` must also be specified or this setting 611 will be ignored. 612 613 * `docker.cleanup.image` Defaults to `true`. Changing this to `false` will 614 prevent Nomad from removing images from stopped tasks. 615 616 * `docker.cleanup.image.delay` A time duration, as [defined 617 here](https://golang.org/pkg/time/#ParseDuration), that defaults to `3m`. The 618 delay controls how long Nomad will wait between an image being unused and 619 deleting it. If a tasks is received that uses the same image within the delay, 620 the image will be reused. 621 622 * `docker.volumes.enabled`: Defaults to `true`. Allows tasks to bind host paths 623 (`volumes`) inside their container and use volume drivers (`volume_driver`). 624 Binding relative paths is always allowed and will be resolved relative to the 625 allocation's directory. 626 627 * `docker.volumes.selinuxlabel`: Allows the operator to set a SELinux 628 label to the allocation and task local bind-mounts to containers. If used 629 with `docker.volumes.enabled` set to false, the labels will still be applied 630 to the standard binds in the container. 631 632 * `docker.privileged.enabled` Defaults to `false`. Changing this to `true` will 633 allow containers to use `privileged` mode, which gives the containers full 634 access to the host's devices. Note that you must set a similar setting on the 635 Docker daemon for this to work. 636 637 * `docker.caps.whitelist`: A list of allowed Linux capabilities. Defaults to 638 `"CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE"`, 639 which is the list of capabilities allowed by docker by default, as 640 [defined here](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). 641 Allows the operator to control which capabilities can be obtained by 642 tasks using `cap_add` and `cap_drop` options. Supports the value `"ALL"` as a 643 shortcut for whitelisting all capabilities. 644 645 Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`, 646 `DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. If 647 `docker.endpoint` is set Nomad will **only** read client configuration from the 648 config file. 649 650 An example is given below: 651 652 ```hcl 653 client { 654 options { 655 "docker.cleanup.image" = "false" 656 } 657 } 658 ``` 659 660 ## Client Attributes 661 662 The `docker` driver will set the following client attributes: 663 664 * `driver.docker` - This will be set to "1", indicating the driver is 665 available. 666 * `driver.docker.bridge_ip` - The IP of the Docker bridge network if one 667 exists. 668 * `driver.docker.version` - This will be set to version of the docker server. 669 670 Here is an example of using these properties in a job file: 671 672 ```hcl 673 job "docs" { 674 # Require docker version higher than 1.2. 675 constraint { 676 attribute = "${driver.docker.version}" 677 operator = ">" 678 version = "1.2" 679 } 680 } 681 ``` 682 683 ## Resource Isolation 684 685 ### CPU 686 687 Nomad limits containers' CPU based on CPU shares. CPU shares allow containers 688 to burst past their CPU limits. CPU limits will only be imposed when there is 689 contention for resources. When the host is under load your process may be 690 throttled to stabilize QoS depending on how many shares it has. You can see how 691 many CPU shares are available to your process by reading `NOMAD_CPU_LIMIT`. 692 1000 shares are approximately equal to 1 GHz. 693 694 Please keep the implications of CPU shares in mind when you load test workloads 695 on Nomad. 696 697 ### Memory 698 699 Nomad limits containers' memory usage based on total virtual memory. This means 700 that containers scheduled by Nomad cannot use swap. This is to ensure that a 701 swappy process does not degrade performance for other workloads on the same 702 host. 703 704 Since memory is not an elastic resource, you will need to make sure your 705 container does not exceed the amount of memory allocated to it, or it will be 706 terminated or crash when it tries to malloc. A process can inspect its memory 707 limit by reading `NOMAD_MEMORY_LIMIT`, but will need to track its own memory 708 usage. Memory limit is expressed in megabytes so 1024 = 1 GB. 709 710 ### IO 711 712 Nomad's Docker integration does not currently provide QoS around network or 713 filesystem IO. These will be added in a later release. 714 715 ### Security 716 717 Docker provides resource isolation by way of 718 [cgroups and namespaces](https://docs.docker.com/introduction/understanding-docker/#the-underlying-technology). 719 Containers essentially have a virtual file system all to themselves. If you 720 need a higher degree of isolation between processes for security or other 721 reasons, it is recommended to use full virtualization like 722 [QEMU](/docs/drivers/qemu.html). 723 724 ## Docker for Mac Caveats 725 726 Docker for Mac runs Docker inside a small VM and then allows access to parts of 727 the host filesystem into that VM. At present, nomad uses a syslog server bound to 728 a Unix socket within a path that both the host and the VM can access to forward 729 log messages back to nomad. But at present, Docker For Mac does not work for 730 Unix domain sockets (https://github.com/docker/for-mac/issues/483) in one of 731 these shared paths. 732 733 As a result, using nomad with the docker driver on OS X/macOS will work, but no 734 logs will be available to nomad. Users must use the native docker facilities to 735 examine the logs of any jobs running under docker. 736 737 In the future, we will resolve this issue, one way or another. 738 739 ## Docker for Windows Caveats 740 741 Docker for Windows only supports running Windows containers. Because Docker for 742 Windows is relatively new and rapidly evolving you may want to consult the 743 [list of relevant issues on GitHub][WinIssues]. 744 745 [WinIssues]: https://github.com/hashicorp/nomad/issues?q=is%3Aopen+is%3Aissue+label%3Adriver%2Fdocker+label%3Aplatform-windows