mirror of
https://github.com/kemko/nomad.git
synced 2026-01-08 11:25:41 +03:00
Update containerd task driver docs. (#9550)
This commit is contained in:
Shishir
100
website/pages/docs/drivers/external/containerd.mdx
vendored
100
website/pages/docs/drivers/external/containerd.mdx
vendored
@@ -113,6 +113,9 @@ config {
|
||||
}
|
||||
```
|
||||
|
||||
- `cwd` - (Optional) Specify the current working directory (cwd) for your container process.
|
||||
If the directory does not exist, one will be created for you.
|
||||
|
||||
- `privileged` - (Optional) `true` or `false` (default) Run container in
|
||||
privileged mode. Your container will have all Linux capabilities when running
|
||||
in privileged mode.
|
||||
@@ -123,6 +126,27 @@ config {
|
||||
}
|
||||
```
|
||||
|
||||
- `host_dns` - (Optional) `true` (default) or `false` By default, a container
|
||||
launched using `containerd-driver` will use host `/etc/resolv.conf`. This is
|
||||
similar to [Docker's behavior]. However, if you don't want to use
|
||||
host DNS, you can turn off this flag by setting `host_dns=false`.
|
||||
|
||||
- `seccomp` - (Optional) Enable default seccomp profile. List of [allowed syscalls].
|
||||
|
||||
- `seccomp_profile` - (Optional) Path to custom seccomp profile.
|
||||
`seccomp` must be set to `true` in order to use `seccomp_profile`.
|
||||
|
||||
The default `docker` seccomp profile found in the [Moby repository]
|
||||
can be downloaded, and modified (by removing/adding syscalls) to create a custom seccomp profile.
|
||||
The custom seccomp profile can then be saved under `/opt/seccomp/seccomp.json` on the Nomad client nodes.
|
||||
|
||||
```hcl
|
||||
config {
|
||||
seccomp = true
|
||||
seccomp_profile = "/opt/seccomp/seccomp.json"
|
||||
}
|
||||
```
|
||||
|
||||
- `readonly_rootfs` - (Optional) `true` or `false` (default) Container root
|
||||
filesystem will be read-only.
|
||||
|
||||
@@ -214,7 +238,7 @@ them should be used at a time.
|
||||
config of the job spec (see [host_network][host-network] under Task
|
||||
Configuration).
|
||||
|
||||
1. **Bridge** network can be enabled by setting the `network` stanza in the task
|
||||
2. **Bridge** network can be enabled by setting the `network` stanza in the task
|
||||
group section of the job spec.
|
||||
|
||||
```hcl
|
||||
@@ -234,6 +258,75 @@ before you can use `bridge` networks.
|
||||
$ sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz
|
||||
```
|
||||
|
||||
Also, ensure your Linux operating system distribution has been configured
|
||||
to allow container traffic through the bridge network to be routed via iptables.
|
||||
These tunables can be set as follows:
|
||||
|
||||
```hcl
|
||||
$ echo 1 > /proc/sys/net/bridge/bridge-nf-call-arptables
|
||||
$ echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
|
||||
$ echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
|
||||
```
|
||||
|
||||
To preserve these settings on startup of a Nomad client node, add a file
|
||||
including the following to `/etc/sysctl.d/` or remove the file your Linux
|
||||
distribution puts in that directory.
|
||||
|
||||
```hcl
|
||||
net.bridge.bridge-nf-call-arptables = 1
|
||||
net.bridge.bridge-nf-call-ip6tables = 1
|
||||
net.bridge.bridge-nf-call-iptables = 1
|
||||
```
|
||||
|
||||
## Port Forwarding
|
||||
|
||||
Nomad supports both `static` and `dynamic` port mapping.
|
||||
|
||||
1. **Static ports**
|
||||
|
||||
Static port mapping can be added in the `network` stanza.
|
||||
|
||||
```hcl
|
||||
network {
|
||||
mode = "bridge"
|
||||
port "lb" {
|
||||
static = 8889
|
||||
to = 8889
|
||||
}
|
||||
}
|
||||
```
|
||||
Here, `host` port `8889` is mapped to `container` port `8889`.<br/>
|
||||
**NOTE:** static ports are usually not recommended, except for
|
||||
`system` or specialized jobs like load balancers.
|
||||
|
||||
2. **Dynamic ports**
|
||||
|
||||
Dynamic port mapping is also enabled in the `network` stanza.
|
||||
|
||||
```hcl
|
||||
network {
|
||||
mode = "bridge"
|
||||
port "http" {
|
||||
to = 8080
|
||||
}
|
||||
}
|
||||
```
|
||||
Here, nomad will allocate a dynamic port on the `host` and that port
|
||||
will be mapped to `8080` in the container.
|
||||
|
||||
You can read more about configuring networking under the [`network`] stanza documentation.
|
||||
|
||||
## Service discovery
|
||||
|
||||
Nomad schedules workloads of various types across a cluster of generic hosts.
|
||||
Because of this, placement is not known in advance and you will need to use
|
||||
service discovery to connect tasks to other services deployed across your cluster.
|
||||
Nomad integrates with Consul to provide service discovery and monitoring.
|
||||
|
||||
A [`service`] block can be added to your job spec, to enable service discovery.
|
||||
|
||||
The service stanza instructs Nomad to register a service with Consul.
|
||||
|
||||
## Plugin Options ((#plugin_options))
|
||||
|
||||
- `enabled` - (Optional) The `containerd` driver may be disabled on hosts by
|
||||
@@ -268,4 +361,9 @@ the external driver in the [plugin_dir][plugin_dir] directory.
|
||||
[plugin-options]: #plugin_options
|
||||
[host-network]: #host_network
|
||||
[`mount options`]: https://github.com/containerd/containerd/blob/9561d9389d3dd87ff6030bf1da4e705bbc024130/mount/mount_linux.go#L198-L222
|
||||
[Moby repository]: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
|
||||
[Docker's behavior]: https://docs.docker.com/config/containers/container-networking/#dns-services
|
||||
[allowed syscalls]: https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51-L390
|
||||
[`network`]: /docs/job-specification/network
|
||||
[`service`]: /docs/job-specification/service
|
||||
[releases]: https://github.com/Roblox/nomad-driver-containerd/releases/
|
||||
|
||||
Reference in New Issue
Block a user