Merge branch 'master' into b-cv-add-job-anti-affinity-sentence

website/source/docs/drivers/rkt.html.md

@@ -103,12 +103,14 @@ The `rkt` driver supports the following configuration in the job spec:
 * `no_overlay` - (Optional) When enabled, will use `--no-overlay=true` flag for 'rkt run'.
   Useful when running jobs on older systems affected by https://github.com/rkt/rkt/issues/1922
 
-* `volumes` - (Optional) A list of `host_path:container_path` strings to bind
+* `volumes` - (Optional) A list of `host_path:container_path[:readOnly]` strings to bind
   host paths to container paths.
+  Mount is done read-write by default; an optional third parameter `readOnly` can be provided
+  to make it read-only.
 
     ```hcl
     config {
-      volumes = ["/path/on/host:/path/in/container"]
+      volumes = ["/path/on/host:/path/in/container", "/readonly/path/on/host:/path/in/container:readOnly"]
     }
     ```
 

website/source/docs/job-specification/artifact.html.md

@@ -41,8 +41,8 @@ job "docs" {
 ```
 
 Nomad supports downloading `http`, `https`, `git`, `hg` and `S3` artifacts. If
-these artifacts are archived (`zip`, `tgz`, `bz2`), they are automatically
-unarchived before the starting the task.
+these artifacts are archived (`zip`, `tgz`, `bz2`, `xz`), they are
+automatically unarchived before the starting the task.
 
 ## `artifact` Parameters
 

website/source/docs/vault-integration/index.html.md

@@ -62,7 +62,7 @@ occur:
 The token Nomad receives must have the capabilities listed below. An explanation
 for the use of each capability is given.
 
-```
+```hcl
 # Allow creating tokens under "nomad-cluster" token role. The token role name
 # should be updated if "nomad-cluster" is not used.
 path "auth/token/create/nomad-cluster" {
@@ -236,12 +236,24 @@ token_renewable true
 token_policies  [default nomad-server]
 ```
 
-`-orphan` is included above to prevent revocation of the token when its parent expires. 
-See the [Vault token hierarchy](https://www.vaultproject.io/docs/concepts/tokens.html#token-hierarchies-and-orphan-tokens) 
-documentation for more information.
+The `-orphan` flag is included when generating the Nomad server token above to
+prevent revocation of the token when its parent expires. Vault typically
+creates tokens with a parent-child relationship. When an ancestor token is
+revoked, all of its descendant tokens and their associated leases are revoked
+as well.
 
-The token can then be set in the server configuration's [vault block][config],
-as a command-line flag, or via an environment variable.
+When generating Nomad's Vault token, we need to ensure that revocation of the
+parent token does not revoke Nomad's token. To prevent this behavior we
+specify the `-orphan` flag when we create the Nomad's Vault token. All
+other tokens generated by Nomad for jobs will be generated using the policy
+default of `orphan = false`.
+
+More information about creating orphan tokens can be found in
+[Vault's Token Hierarchies and Orphan Tokens documentation][tokenhierarchy].
+
+The token can then be set in the server configuration's
+[`vault` stanza][config], as a command-line flag, or via an environment
+variable.
 
 ```
 $ VAULT_TOKEN=f02f01c2-c0d1-7cb7-6b88-8a14fada58c0 nomad agent -config /path/to/config
@@ -289,3 +301,4 @@ but will log the reasons the token is invalid and disable Vault integration.
 [template]: /docs/job-specification/template.html "Nomad template Job Specification"
 [vault]: https://www.vaultproject.io/ "Vault by HashiCorp"
 [vault-spec]: /docs/job-specification/vault.html "Nomad Vault Job Specification"
+[tokenhierarchy]: https://www.vaultproject.io/docs/concepts/tokens.html#token-hierarchies-and-orphan-tokens "Vault Tokens - Token Hierarchies and Orphan Tokens"