HashiConf 2024 Now streaming live from Boston! Attend for free
HVD Home
HVD Home

Containerized Orchestration

Docker

Nomad supports docker workloads natively as it comes bundled with Nomad. Configuration options for your tasks can be found here: https://developer.hashicorp.com/nomad/docs/drivers/docker

Podman

Unlike Docker, Nomad operators will need to download the Podman driver separately and ensure its availability on the client's nodes.

Podman supports OCI containers and its command line tool is meant to be a drop-in replacement for docker and support most of the same options as Docker.

Task configuration options can be found here: https://developer.hashicorp.com/nomad/plugins/drivers/podman#task-configuration

Non-Containerized Orchestration

In addition to containers, Nomad supports non-containerized workloads as well. Below we discuss the various task drivers that can be used and recommendations for each.

Exec2

Used to execute a command for a task. It offers a security model optimized for running 'ordinary' processes with very low startup times and minimal overhead in terms of CPU, disk, and memory utilization. It also everages kernel features such as the Landlock LSM, cgroups v2, and the unshare system utility. This is great for running batch jobs, legacy workloads, or other workloads that are executable on the underlying host.

  • The exec2 task driver is not built into Nomad. It must be installed via a package manager or downloaded onto the client host in the configured plugin directory.
  • Refer to the plugin page for client requirements and capabilities
  • By default the exec2 driver exposes a set of default paths. These can be customized or Additional allowable paths can be specified at the plugin level, which applies to all tasks making use of the exec2 task driver, or at the task level, which will apply specifically to each task.
  • If a path is not exposed within the driver, it cannot be used in job files.

Raw Exec

Unlike Exec2, the Raw Exec driver is used to execute a command for a task without any isolation. Further, the task is started as the same user as the Nomad process. As such, it should be used with extreme care and is disabled by default. You should consider Raw Exec if you:

  • Are confident in your node isolation and security posture
  • Do not like the overhead of managing paths with Exec2
  • Prefer to manage cgroups

For both Exec2 and Raw Exec, Nomad is effectively executing a command as if you were on the terminal for that machine. Any dependencies must exist on the host. Consider the tradeoff with having standardized client images and node pools, versus using lifecycle blocks and artifact blocks within your job files. Meaning, if a job has a large list of dependencies, it may take a long time to download and clean up all the artifacts needed. Refer to the [dependency] section for more information.

Previous

Self-Service Application Deployment

 Next

Application scaling