github.com/smintz/nomad@v0.8.3/website/source/docs/drivers/rkt.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Drivers: Rkt" 4 sidebar_current: "docs-drivers-rkt" 5 description: |- 6 The rkt task driver is used to run application containers using rkt. 7 --- 8 9 # Rkt Driver 10 11 Name: `rkt` 12 13 The `rkt` driver provides an interface for using rkt for running 14 application containers. 15 16 ## Task Configuration 17 18 ```hcl 19 task "webservice" { 20 driver = "rkt" 21 22 config { 23 image = "redis:3.2" 24 } 25 } 26 ``` 27 28 The `rkt` driver supports the following configuration in the job spec: 29 30 * `image` - The image to run. May be specified by name, hash, ACI address 31 or docker registry. 32 33 ```hcl 34 config { 35 image = "https://hub.docker.internal/redis:3.2" 36 } 37 ``` 38 39 * `command` - (Optional) A command to execute on the ACI. 40 41 ```hcl 42 config { 43 command = "my-command" 44 } 45 ``` 46 47 * `args` - (Optional) A list of arguments to the optional `command`. References 48 to environment variables or any [interpretable Nomad 49 variables](/docs/runtime/interpolation.html) will be interpreted before 50 launching the task. 51 52 ```hcl 53 config { 54 args = [ 55 "-bind", "${NOMAD_PORT_http}", 56 "${nomad.datacenter}", 57 "${MY_ENV}", 58 "${meta.foo}", 59 ] 60 } 61 ``` 62 63 * `trust_prefix` - (Optional) The trust prefix to be passed to rkt. Must be 64 reachable from the box running the nomad agent. If not specified, the image is 65 run with `--insecure-options=all`. 66 67 * `insecure_options` - (Optional) List of insecure options for rkt. Consult `rkt --help` 68 for list of supported values. This list overrides the `--insecure-options=all` default when 69 no ```trust_prefix``` is provided in the job config, which can be effectively used to enforce 70 secure runs, using ```insecure_options = ["none"]``` option. 71 72 ```hcl 73 config { 74 image = "example.com/image:1.0" 75 insecure_options = ["image", "tls", "ondisk"] 76 } 77 ``` 78 79 * `dns_servers` - (Optional) A list of DNS servers to be used in the container. 80 Alternatively a list containing just `host` or `none`. `host` uses the host's 81 `resolv.conf` while `none` forces use of the image's name resolution configuration. 82 83 * `dns_search_domains` - (Optional) A list of DNS search domains to be used in 84 the containers. 85 86 * `net` - (Optional) A list of networks to be used by the containers 87 88 * `port_map` - (Optional) A key/value map of ports used by the container. The 89 value is the port name specified in the image manifest file. When running 90 Docker images with rkt the port names will be of the form `${PORT}-tcp`. See 91 [networking](#networking) below for more details. 92 93 ```hcl 94 port_map { 95 # If running a Docker image that exposes port 8080 96 app = "8080-tcp" 97 } 98 ``` 99 100 101 * `debug` - (Optional) Enable rkt command debug option. 102 103 * `no_overlay` - (Optional) When enabled, will use `--no-overlay=true` flag for 'rkt run'. 104 Useful when running jobs on older systems affected by https://github.com/rkt/rkt/issues/1922 105 106 * `volumes` - (Optional) A list of `host_path:container_path[:readOnly]` strings to bind 107 host paths to container paths. 108 Mount is done read-write by default; an optional third parameter `readOnly` can be provided 109 to make it read-only. 110 111 ```hcl 112 config { 113 volumes = ["/path/on/host:/path/in/container", "/readonly/path/on/host:/path/in/container:readOnly"] 114 } 115 ``` 116 117 ## Networking 118 119 The `rkt` can specify `--net` and `--port` for the rkt client. Hence, there are two ways to use host ports by 120 using `--net=host` or `--port=PORT` with your network. 121 122 Example: 123 124 ``` 125 task "redis" { 126 # Use rkt to run the task. 127 driver = "rkt" 128 129 config { 130 # Use docker image with port defined 131 image = "docker://redis:latest" 132 port_map { 133 app = "6379-tcp" 134 } 135 } 136 137 service { 138 port = "app" 139 } 140 141 resources { 142 network { 143 mbits = 10 144 port "app" { 145 static = 12345 146 } 147 } 148 } 149 } 150 ``` 151 152 ### Allocating Ports 153 154 You can allocate ports to your task using the port syntax described on the 155 [networking page](/docs/job-specification/network.html). 156 157 When you use port allocation, the image manifest needs to declare public ports and host has configured network. 158 For more information, please refer to [rkt Networking](https://coreos.com/rkt/docs/latest/networking/overview.html). 159 160 ## Client Requirements 161 162 The `rkt` driver requires rkt to be installed and in your system's `$PATH`. 163 The `trust_prefix` must be accessible by the node running Nomad. This can be an 164 internal source, private to your cluster, but it must be reachable by the client 165 over HTTP. 166 167 ## Client Configuration 168 169 The `rkt` driver has the following [client configuration 170 options](/docs/agent/configuration/client.html#options): 171 172 * `rkt.volumes.enabled`: Defaults to `true`. Allows tasks to bind host paths 173 (`volumes`) inside their container. Binding relative paths is always allowed 174 and will be resolved relative to the allocation's directory. 175 176 177 ## Client Attributes 178 179 The `rkt` driver will set the following client attributes: 180 181 * `driver.rkt` - Set to `1` if rkt is found on the host node. Nomad determines 182 this by executing `rkt version` on the host and parsing the output 183 * `driver.rkt.version` - Version of `rkt` e.g.: `1.27.0`. Note that the minimum required 184 version is `1.27.0` 185 * `driver.rkt.appc.version` - Version of `appc` that `rkt` is using e.g.: `1.1.0` 186 187 Here is an example of using these properties in a job file: 188 189 ```hcl 190 job "docs" { 191 # Only run this job where the rkt version is higher than 0.8. 192 constraint { 193 attribute = "${driver.rkt.version}" 194 operator = ">" 195 value = "1.2" 196 } 197 } 198 ``` 199 200 ## Resource Isolation 201 202 This driver supports CPU and memory isolation by delegating to `rkt`. Network 203 isolation is not supported as of now.