kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 17:35:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
2bfe81772119f431fc75271d20aa7ca4fa3c1921
nomad/website/content/docs/job-specification/volume_mount.mdx
Juana De La Cuesta 120c3ca3c9 Add granular control of SELinux labels for host mounts (#19839) 
Add new configuration option on task's volume_mounts, to give a fine grained control over SELinux "z" label

* Update website/content/docs/job-specification/volume_mount.mdx

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>

* fix: typo

* func: make volume mount verification happen even on  mounts with no volume

---------

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>
Co-authored-by: Tim Gross <tgross@hashicorp.com>
2024-02-05 10:05:33 +01:00

81 lines
2.7 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: volume_mount Block - Job Specification
description: |-
The "volume_mount" block allows the task to specify where a group "volume"
should be mounted.
---
# `volume_mount` Block
<Placement groups={['job', 'group', 'task', 'volume_mount']} />
The `volume_mount` block allows the task to specify how a group
[`volume`][volume] should be mounted into the task.
```hcl
job "docs" {
group "example" {
volume "certs" {
type = "host"
read_only = true
source = "ca-certificates"
}
task "example" {
volume_mount {
volume = "certs"
destination = "/etc/ssl/certs"
propagation_mode = "private"
}
}
}
}
```
The Nomad client will make the volumes available to tasks according to this
configuration, and it will fail the allocation if the client configuration
updates to remove a volume that it depends on.
## `volume_mount` Parameters
- `volume` `(string: "")` - Specifies the group volume that the mount is going
to access.
- `destination` `(string: "")` - Specifies where the volume should be mounted
inside the task's allocation.
- `read_only` `(bool: false)` - When a group volume is writeable, you may
specify that it is `read_only` on a per mount level using the `read_only`
option here.
- `propagation_mode` `(string: "private")` - Specifies the mount propagation
mode for nested volumes. Possible values are:
- `private` - the task is not allowed to access nested mounts.
- `host-to-task` - allows new mounts that have been created outside of the
task to be visible inside the task.
- `bidirectional` - allows the task to both access new mounts from the host
and also create new mounts. This mode requires `ReadWrite` permission.
~> **Warning:** `bidirectional` propagation mode can be dangerous to use
and cause problems in the host operating system if a task creates a mount
but does not clean it up properly before exiting.
- `selinux_label``(string: "")` - Specifies the SELinux label for the mount.
This is only supported on Linux hosts and when supported by the task driver. Refer to the task driver documentation for more information. Possible
values are:
- `Z` - Specifies that the volume content is private and unshared between
containers.
- `z` - Specifies that the volume content is shared among containers.
For examples of how to use [HCL2] interpolation for fine-grained control of
volumes, see [Volume Interpolation].
[volume]: /nomad/docs/job-specification/volume 'Nomad volume Job Specification'
[volume interpolation]: /nomad/docs/job-specification/volume#volume-interpolation
[hcl2]: /nomad/docs/job-specification/hcl2
Reference in New Issue View Git Blame Copy Permalink