From daaf9ca558778685454bd129f1316145eaac7f93 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 16 Oct 2020 11:38:23 -0400 Subject: [PATCH] clarify raw_exec doesn't have filesystem isolation --- .../pages/docs/job-specification/template.mdx | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/website/pages/docs/job-specification/template.mdx b/website/pages/docs/job-specification/template.mdx index 027630a39..aa2c462bd 100644 --- a/website/pages/docs/job-specification/template.mdx +++ b/website/pages/docs/job-specification/template.mdx @@ -60,9 +60,10 @@ README][ct]. Since Nomad v0.6.0, templates can be read as environment variables. - `destination` `(string: )` - Specifies the location where the resulting template should be rendered, relative to the [task working - directory]. Only drivers that build a chroot into the task working directory - (such as `exec` or `raw_exec`) can render templates outside of the - `NOMAD_ALLOC_DIR`, `NOMAD_TASK_DIR`, or `NOMAD_SECRETS_DIR`. + directory]. Only drivers without filesystem isolation (ex. `raw_exec`) or + that buiold a chroot in the task working directory (ex. `exec`) can render + templates outside of the `NOMAD_ALLOC_DIR`, `NOMAD_TASK_DIR`, or + `NOMAD_SECRETS_DIR`. - `env` `(bool: false)` - Specifies the template should be read back in as environment variables for the task. ([See below](#environment-variables)) @@ -225,13 +226,13 @@ For more details see [go-envparser's README][go-envparse]. ### Template Destinations -Templates are rendered into the task working directory. Some drivers such as -`exec` or `raw_exec` build a chroot in the task working directory, so -templates can be rendered to arbitrary paths in the task. But task drivers -such as `docker` can only access templates rendered into the -`NOMAD_ALLOC_DIR`, `NOMAD_TASK_DIR`, or `NOMAD_SECRETS_DIR`. To workaround -this restriction, you can create a mount from the template `destination` to -another location in the task. +Templates are rendered into the task working directory. Drivers without +filesystem isolation (such as `raw_exec`) or drivers that build a chroot in +the task working directory (such as `exec`) can have templates rendered to +arbitrary paths in the task. But task drivers such as `docker` can only access +templates rendered into the `NOMAD_ALLOC_DIR`, `NOMAD_TASK_DIR`, or +`NOMAD_SECRETS_DIR`. To workaround this restriction, you can create a mount +from the template `destination` to another location in the task. ```hcl task "task" {