kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 01:15:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
b286a8ee9cabb1dced8e6be7c3b60ff869cbca09
nomad/website/content/docs/deploy/task-driver/raw_exec.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

134 lines
4.2 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Raw Fork/Exec task driver
description: Nomad's Raw Exec task driver lets you execute commands with no resource isolation. Review the Isolated Fork/Exec task driver capabilities, plugin options, client requirements, and client attributes.
---
# Configure the Raw Fork/Exec task driver
Name: `raw_exec`
The `raw_exec` driver is used to execute a command for a task without any
isolation. Further, the task is started as the same user as the Nomad process.
As such, it should be used with extreme care and is disabled by default.
## Capabilities
The `raw_exec` driver implements the following [capabilities](/nomad/docs/concepts/plugins/task-drivers#capabilities-capabilities-error).
| Feature | Implementation |
| -------------------- | -------------- |
| `nomad alloc signal` | true |
| `nomad alloc exec` | true |
| filesystem isolation | none |
| network isolation | host, group |
| volume mounting | none |
## Client Requirements
The `raw_exec` driver can run on all supported operating systems. For security
reasons, it is disabled by default. To enable raw exec, the Nomad client
configuration must explicitly enable the `raw_exec` driver in the plugin's options:
```
plugin "raw_exec" {
config {
enabled = true
}
}
```
Nomad versions before v0.9 use the following client configuration. This configuration is
also supported in Nomad v0.9.0, but is deprecated in favor of the plugin block:
```
client {
options = {
"driver.raw_exec.enable" = "1"
}
}
```
## Plugin Options
- `enabled` - Specifies whether the driver should be enabled or disabled.
Defaults to `false`.
- `denied_host_uids` - (Optional) Specifies a comma-separated list of host uids to
deny. Ranges can be specified by using a hyphen separating the two inclusive ends.
If a "user" value is specified in task configuration and that user has a user id in
the given ranges, the task will error before starting. This will not be checked on Windows
clients.
```hcl
config {
denied_host_uids = "0,10-15,22"
}
```
- `denied_host_gids` - (Optional) Specifies a comma-separated list of host gids to
deny. Ranges can be specified by using a hyphen separating the two inclusive ends.
If a "user" value is specified in task configuration and that user is part of
any groups with gid's in the specified ranges, the task will error before
starting. This will not be checked on Windows clients.
```hcl
config {
denied_host_gids = "2,4-8"
}
```
- `denied_envvars` - (Optional) Passes a list of environment variables that
the driver should scrub from all task environments. Supports globbing with "*"
wildcard accepted as prefix and/or suffix.
```hcl
config {
denied_envvars = ["AWS_SECRET_KEY", "*_TOKEN"]
}
```
## Client Options
~> Note: client configuration options will soon be deprecated. Please use
[plugin options][plugin-options] instead. See the [plugin block][plugin-block] documentation for more information.
- `driver.raw_exec.enable` - Specifies whether the driver should be enabled or
disabled. Defaults to `false`.
## Client Attributes
The `raw_exec` driver will set the following client attributes:
- `driver.raw_exec` - This will be set to "1", indicating the driver is available.
## Resource Isolation
The `raw_exec` driver provides no filesystem isolation.
If the launched process creates a new process group, it is possible that
Nomad will leak processes on shutdown unless the application forwards signals
properly. Nomad will not leak any processes if cgroups are being used to
manage the process tree. Cgroups are used on Linux when Nomad is being run with
appropriate privileges, and the cgroup system is mounted.
If the cluster is configured with memory oversubscription enabled, a task using
the `raw_exec` driver can be configured to have no maximum memory limit by
setting `memory_max = -1`.
```hcl
resources {
cpu = 500
memory = 128
memory_max = -1 # no limit
}
```
## Next steps
[Use the `raw_exec` driver in a job](/nomad/docs/job-declare/task-driver/raw_exec).
[hardening]: /nomad/docs/deploy/production/requirements#user-permissions
[service]: /nomad/docs/deploy/production/windows-service
[plugin-options]: #plugin-options
[plugin-block]: /nomad/docs/configuration/plugin
Reference in New Issue View Git Blame Copy Permalink