kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
b286a8ee9cabb1dced8e6be7c3b60ff869cbca09
nomad/website/content/docs/networking/cni.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

255 lines
9.4 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: CNI plugins and bridge networking
description: |-
Learn how to install Container Network Interface (CNI) reference plugins, configure Nomad's bridge networking, and use CNI networks with Nomad jobs.
---
# Container Network Interface (CNI)
This page shows you how to install the [CNI reference plugins][cni-plugin-docs]
on your Linux distribution and configure bridge networking on your Nomad
clients. You can apply this guide's workflow to installing any plugin that
complies with the [Container Network Interface (CNI) Specification][cni-spec],
but you should verify plugin compatibility with Nomad before deploying in
production.
## Background
The CNI specification defines a network configuration format for administrators.
The configuration contains directives for both the orchestrator and the plugins
to consume. Nomad implements custom networking through a combination of CNI
reference plugin binaries and CNI configuration files. Networking features, like
bridge network mode and Consul service mesh, leverage the CNI reference plugins
to provide an operating-system agnostic interface to configure workload
networking.
## Requirements
- You are familiar with [CNI reference plugins][cni-plugin-docs].
- You are familiar with [how Nomad uses Container Network Interface (CNI) plugins for bridge networking](/nomad/docs/networking#bridge-networking).
- You are running Nomad on Linux.
## CNI plugins and bridge networking workflow
Perform the following on each Nomad client:
1. [Install CNI reference plugins](#install-cni-reference-plugins).
1. [Configure bridge module to route traffic through iptables](#configure-bridge-module-to-route-traffic-through-iptables).
1. [Create a bridge mode configuration](#create-a-cni-bridge-mode-configuration).
1. [Configure Nomad clients](#configure-nomad-clients).
After you configure and restart your Nomad clients, refer to [Use a CNI network
with a job][] for job configuration.
### Install CNI reference plugins
@include 'install/install-cni-plugins.mdx'
### Configure bridge module to route traffic through iptables
@include 'install/bridge-iptables.mdx'
## Create a CNI bridge mode configuration
Nomad itself uses CNI plugins and configuration as the underlying implementation
for the `bridge` network mode, using the loopback, [bridge][], [firewall][], and
[portmap][] CNI reference plugins configured together to create Nomad's bridge
network.
[comment-source-image]:
https://www.figma.com/file/Ne2qaPUlBTmTYer9biCfK9/Networking?node-id=0%3A1&t=BepgOoQ0kb76GwIr-1
[![Visual example of Nomad bridge
network](/img/nomad-bridge-network.png)](/img/nomad-bridge-network.png)
When setting up a bridge network, Nomad uses a configuration template based on
the CNI Specification's [example
configuration](https://www.cni.dev/docs/spec/#example-configuration). Refer to
the external [configuration
format](https://www.cni.dev/docs/spec/#example-configuration) for a complete
explanation of the fields.
You can use this template as a basis for your own CNI-based bridge network
configuration in cases where you need access to an unsupported option in the
default configuration, like hairpin mode.
This example uses two default values from Nomad client configuration.
- The default value for
[`bridge_network_name`](/nomad/docs/configuration/client#bridge_network_name)
is the value for the bridge plugin name.
- The default value for bridge subnet [`bridge_network_subnet`](
/nomad/docs/configuration/client#bridge_network_subnet) is the bridge plugin
subnet.
The `NOMAD-ADMIN` internal constant provides the value for
`iptablesAdminChainName`. In your own configuration, ensure that you change the
`iptablesAdminChainName` to a unique value.
<CodeBlockConfig highlight="10,20,32">
```json
{
"cniVersion": "1.0.0",
"name": "nomad",
"plugins": [
{
"type": "loopback"
},
{
"type": "bridge",
"bridge": "nomad",
"ipMasq": true,
"isGateway": true,
"forceAddress": true,
"hairpinMode": false,
"ipam": {
"type": "host-local",
"ranges": [
[
{
"subnet": "172.26.64.0/20"
}
]
],
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
},
{
"type": "firewall",
"backend": "iptables",
"iptablesAdminChainName": "NOMAD-ADMIN"
},
{
"type": "portmap",
"capabilities": {"portMappings": true},
"snat": true
}
]
}
```
</CodeBlockConfig>
This configuration uses the following CNI reference plugins:
- loopback: The loopback plugin sets the default local interface, lo0, created
inside the bridge network's network namespace to UP. This allows workload
running inside the namespace to bind to a namespace-specific loopback
interface.
- bridge: The [bridge][] plugin creates a bridge (virtual switch) named `nomad`
that resides in the host network namespace. Because Nomad intends this bridge
to provide network connectivity to allocations, we configured it to be a
gateway by setting `isGateway` to `true`. This tells the plugin to assign an
IP address to the bridge interface.
The bridge plugin connects allocations on the same host into a virtual switch
bridge that resides in the host network namespace. By default, Nomad creates
a single bridge for each client.
Since Nomad's bridge network is designed to provide network connectivity to
the allocations, Nomad configures the bridge interface to be a gateway for
outgoing traffic by providing it with an address using an `ipam`
configuration. The default configuration creates a host-local address for the
host side of the bridge in the `172.26.64.0/20` subnet at `172.26.64.1`.
When associating allocations to the bridge, Nomad creates addresses for the
allocations from that same subnet using the host-local plugin. The
configuration also specifies a default route for the allocations of the
host-side bridge address.
- firewall: The [firewall][] plugin creates firewall rules to allow traffic to
and from the allocation's IP address via the host network. Nomad uses the
iptables backend for the firewall plugin.
This configuration creates two new iptables chains, `CNI-FORWARD` and
`NOMAD-ADMIN`, in the filter table and adds rules that allow the given
interface to send and receive traffic.
The firewall creates an admin chain using the `iptablesAdminChainName` value,
which is `NOMAD-ADMIN` in this example. The admin chain is a user-controlled
chain for custom rules that run before rules managed by the firewall plugin.
The firewall plugin does not add, delete, or modify rules in the admin chain.
Nomad adds a new chain called `CNI-FORWARD` to to the `FORWARD` chain.
`CNI-FORWARD` is the chain where Nomad adds rules when it creates allocations
and removes the rules when those allocations stop. The `CNI-FORWARD` chain
first sends all traffic to the `NOMAD-ADMIN` chain.
Use the `iptables` command to list the iptables rules present in each chain.
```shell-session
$ sudo iptables -L
```
- portmap: Nomad needs to be able to map specific ports from the host to tasks
running in the allocation namespace. The [portmap][] plugin forwards traffic
from one or more ports on the host to the allocation using network address
translation (NAT) rules.
The plugin sets up two sequences of chains and rules:
- One primary destination NAT (DNAT) sequence to rewrite the destination.
- One source NAT (SNAT) sequence to masquerade traffic as needed.
Use the `iptables` command to list the iptables rules in the NAT table.
```shell-session
$ sudo iptables -t nat -L
```
Save your bridge network configuration file to a Nomad-accessible directory. By
default, Nomad loads configuration files from the `/opt/cni/config` directory.
However, you may configure a different location using the
[`cni_config_dir`](/nomad/docs/configuration/client#cni_config_dir) parameter.
Refer to the [Configure Nomad clients](#configure-nomad-clients) section for an
example.
## Configure Nomad clients
At plugin execution time, Nomad interprets your CNI network configuration and
transforms it into arguments for the plugins.
Nomad reads the following files from the
[`cni_config_dir`](/nomad/docs/configuration/client#cni_config_dir) parameter —
`/opt/cni/config` by default:
- `.conflist`: Nomad loads these files as [network
configurations](https://www.cni.dev/docs/spec/#configuration-format) that
contain a list of plugin configurations.
- `.conf` and `.json`: Nomad loads these files as individual [plugin
configurations](https://www.cni.dev/docs/spec/#plugin-configuration-objects)
for a specific network.
Add the [`cni_path`](/nomad/docs/configuration/client#cni_path) and
[`cni_config_dir`](/nomad/docs/configuration/client#cni_config_dir) attributes
to each client's `client.hcl` file.
This example uses the default values for both attributes.
<CodeBlockConfig filename="/etc/nomad.d/client.hcl">
```hcl
client {
enabled = true
cni_path = "opt/cni/bin"
cni_config_dir = "opt/cni/config"
}
```
</CodeBlockConfig>
## Next steps
Refer to [Use a CNI network with a job][] for job configuration details.
[cni-spec]: https://www.cni.dev/docs/spec/
[cni-plugin-docs]: https://www.cni.dev/plugins/current/
[bridge]: https://www.cni.dev/plugins/current/main/bridge/
[firewall]: https://www.cni.dev/plugins/current/meta/firewall/
[portmap]: https://www.cni.dev/plugins/current/meta/portmap/
[Use a CNI network with a job]: /nomad/docs/job-networking/cni
Reference in New Issue View Git Blame Copy Permalink