The agent command is the heart of Nomad: it runs the agent that handles client or server functionality, including exposing interfaces for client consumption and running jobs.
Due to the power and flexibility of this command, the Nomad agent is documented in its own section. See the Nomad Agent guide and the Configuration documentation section for more information on how to use this command and the options it has.
Note: If you are running Nomad on Linux, you'll need to run client agents
as root (or with
sudo) so that cpuset accounting and network namespaces work
A subset of the available Nomad agent configuration can optionally be passed in
via CLI arguments. The
agent command accepts the following arguments:
-client: Enable client mode on the local agent.
-config=<path>: Specifies the path to a configuration file or a directory of configuration files to load. Can be specified multiple times.
-dev: Start the agent in development mode. This enables a pre-configured dual-role agent (client + server) which is useful for developing or testing Nomad. No other configuration is required to start the agent in this mode, but you may pass an optional comma-separated list of mode configurations:
-dev-connect: Start the agent in development mode, but bind to a public network interface rather than localhost for using Consul Connect. It may be used with
-dev-consulto configure default workload identities for Consul. This mode is supported only on Linux as root.
-dev-consul: Starts the agent in development mode with a default Consul configuration for Nomad workload identity. It may be used with
-dev-connectto configure the agent for Consul Service Mesh.
-dev-vault: Starts the agent in development mode with a default Vault configuration for Nomad workload identity.
-join=<address>: Address of another agent to join upon starting up. This can be specified multiple times to specify multiple agents to join.
-retry-join: Similar to
-joinbut allows retrying a join if the first attempt fails.
$ nomad agent -retry-join "127.0.0.1:4648"
retry-joincan be defined as a command line flag only for servers. Clients can configure
retry-joinonly in configuration files.
-server: Enable server mode on the local agent.
-vault-enabled: Whether to enable or disabled Vault integration.
-vault-address=<addr>: The address to communicate with Vault.
-vault-token=<token>: The Vault token used to derive tokens. Only needs to be set on Servers. Overrides the Vault token read from the VAULT_TOKEN environment variable.
-vault-create-from-role=<role>: The role name to create tokens for tasks from.
-vault-ca-file=<path>: Path to a PEM-encoded CA cert file used to verify the Vault server SSL certificate.
-vault-ca-path=<path>: Path to a directory of PEM-encoded CA cert files used to verify the Vault server SSL certificate.Whether to enable or disabled Vault integration.
vault-cert-file=<path>: The path to the certificate for Vault communication.
vault-key-file=<path>: The path to the private key for Vault communication.
vault-namespace=<namespace>: The Vault namespace used for the integration. Required for servers and clients. Overrides the Vault namespace read from the VAULT_NAMESPACE environment variable.
vault-tls-skip-verify: A boolean that determines whether to skip SSL certificate verification.
vault-tls-server-name=<name>: Used to set the SNI host when connecting to Vault over TLS.