HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Nomad
Nomad Home

You are viewing documentation for version v1.9.x. View latest version.

nomad var lock command reference

The var lock command holds a lock on a variable.

Usage

nomad var lock [options] <lock spec file reference> child...
nomad var lock [options] <path to store variable> [<variable spec file reference>] child

The lock command provides a mechanism for simple distributed locking. A lock is created in the given variable, and only when held, is a child process invoked.

The lock command can be called on an existing variable or an entire new variable specification can be provided to the command from a file by using an @-prefixed path to a variable specification file. Items to be stored in the variable can be supplied using the specification file as well.

Nomad lock launches its children in a shell. By default, Nomad will use the shell defined in the environment variable SHELL. If SHELL is not defined, it will default to /bin/sh. It should be noted that not all shells terminate child processes when they receive SIGTERM. Under Ubuntu, /bin/sh is linked to dash, which does not terminate its children. In order to ensure that child processes are killed when the lock is lost, be sure to set the SHELL environment variable appropriately, or run without a shell by setting -shell=false.

If [ACLs][] are enabled, this command requires the 'variables:write' capability for the destination namespace and path.

Restrictions

Variable paths are restricted to RFC3986 URL-safe characters that don't conflict with the use of the characters @ and . in template blocks. This includes alphanumeric characters and the special characters -, _, ~, and /. Paths may be up to 128 bytes long. The following regex matches the allowed paths: ^[a-zA-Z0-9-_~/]{1,128}$

The keys for the items in a variable may contain any character, but keys containing characters outside the set of Unicode letters, Unicode digits, and the underscore (_) can not be read directly using dotted references in Nomad's template engine. Instead, they require the use of the index template function to directly access their values. This does not impact cases where the keys and values are read using the range function.

Variable items are restricted to 64KiB in size. This limit is calculated by taking the sum of the length in bytes of all of the unencrypted keys and values.

General options

  • -address=<addr>: The address of the Nomad server. Overrides the NOMAD_ADDR environment variable if set. Defaults to http://127.0.0.1:4646.

  • -region=<region>: The region of the Nomad server to forward commands to. Overrides the NOMAD_REGION environment variable if set. Defaults to the Agent's local region.

  • -namespace=<namespace>: The target namespace for queries and actions bound to a namespace. Overrides the NOMAD_NAMESPACE environment variable if set. If set to '*', subcommands which support this functionality query all namespaces authorized to user. Defaults to the "default" namespace.

  • -no-color: Disables colored command output. Alternatively, NOMAD_CLI_NO_COLOR may be set. This option takes precedence over -force-color.

  • -force-color: Forces colored command output. This can be used in cases where the usual terminal detection fails. Alternatively, NOMAD_CLI_FORCE_COLOR may be set. This option has no effect if -no-color is also used.

  • -ca-cert=<path>: Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. Overrides the NOMAD_CACERT environment variable if set.

  • -ca-path=<path>: Path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate. If both -ca-cert and -ca-path are specified, -ca-cert is used. Overrides the NOMAD_CAPATH environment variable if set.

  • -client-cert=<path>: Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify -client-key. Overrides the NOMAD_CLIENT_CERT environment variable if set.

  • -client-key=<path>: Path to an unencrypted PEM encoded private key matching the client certificate from -client-cert. Overrides the NOMAD_CLIENT_KEY environment variable if set.

  • -tls-server-name=<value>: The server name to use as the SNI host when connecting via TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set.

  • -tls-skip-verify: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped if NOMAD_SKIP_VERIFY is set.

  • -token: The SecretID of an ACL token to use to authenticate API requests with. Overrides the NOMAD_TOKEN environment variable if set.

Lock options

  • -verbose: Provides additional information via standard error to preserve standard output (stdout) for redirected output.

  • ttl: Optional, TTL for the lock, time the variable will be locked. Defaults to 15s.

  • delay: Optional, time the variable is blocked from locking when a lease is not renewed. Defaults to 15s.

  • max-retry:Optional, max-retry up to this number of times if Nomad returns a 500 error while monitoring the lock. This allows riding out brief periods of unavailability without causing leader elections, but increases the amount of time required to detect a lost lock in some cases. Defaults to 5. Set to 0 to disable.

  • shell: Optional, use a shell to run the command (can set a custom shell via the SHELL environment variable). The default value is true.

Examples

Attempts to acquire a lock over the variable at path "secret/creds" for a time of 15s and executes nomad job run webapp.nomad.hcl if it succeeds:

$ nomad var lock -ttl=15s secret/creds "nomad job run webapp.nomad.hcl"

The data can also be consumed from a file on disk by prefixing with the "@" symbol. For example, you can store a variable using a specification created with the nomad var init command.

$ nomad var lock secret/foo @spec.nv.json `nomad job run webapp.nomad.hcl`