From 3e3b77bd5542555b1a3135289832c8257b1c8e59 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Thu, 29 Jun 2017 16:54:23 +0800 Subject: [PATCH 1/2] Document context of service checks Fixes GH-1935 --- website/source/docs/job-specification/service.html.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/website/source/docs/job-specification/service.html.md b/website/source/docs/job-specification/service.html.md index f213ae357..b2f4bf5a4 100644 --- a/website/source/docs/job-specification/service.html.md +++ b/website/source/docs/job-specification/service.html.md @@ -95,6 +95,11 @@ does not automatically enable service discovery. ### `check` Parameters +Note that health checks run inside the task. If your task is a Docker container, +the script will run inside the Docker container. If your task is running in a +chroot, it will run in the chroot. Please keep this in mind when authoring check +scripts. + - `args` `(array: [])` - Specifies additional arguments to the `command`. This only applies to script-based health checks. From dfcbd498e645329e9ed19ee6c60b8fc42a74791d Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Thu, 29 Jun 2017 16:59:19 +0800 Subject: [PATCH 2/2] Document permissions for agents Fixes GH-948 --- website/source/docs/agent/index.html.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/website/source/docs/agent/index.html.md b/website/source/docs/agent/index.html.md index 5e927f489..dad7f9c67 100644 --- a/website/source/docs/agent/index.html.md +++ b/website/source/docs/agent/index.html.md @@ -133,3 +133,10 @@ When a server _leaves_, it specifies its intent to do so, and the cluster marks node as having _left_. If the server has _left_, replication to it will stop and it is removed from the consensus peer set. If the server has _failed_, replication will attempt to make progress to recover from a software or network failure. + +## Permissions + +Nomad servers should be run with the lowest possible permissions. Nomad clients +must be run as root due to the OS isolation mechanisms that require root +privileges. In all cases, it is recommended you create a `nomad` user with the +minimal set of required privileges.