| layout | page_title | description |
|---|---|---|
docs |
Drivers: podman |
The Podman task driver uses podman (https://podman.io/) for containerizing tasks. |
Name: podman
The Podman task driver plugin for Nomad uses the Pod Manager (podman) daemonless container runtime for executing Nomad tasks. Podman supports OCI containers and its command line tool is meant to be [a drop-in replacement] podman-cli for docker.
Source is on GitHub
You can download a precompiled binary and verify the
binary using the available SHA-256 sums. After downloading nomad-driver-podman
driver, unzip the package. Make sure that the nomad-driver-podman binary is
available on your plugin_dir path,
specified by the client's config file, before continuing with the other guides.
Install the required packages.
$ sudo apt-get update && \
sudo apt-get install wget gpg coreutils
Add the HashiCorp [GPG key][gpg-key].
$ wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
Add the official HashiCorp Linux test repository.
$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
Update and install.
$ sudo apt-get update && sudo apt-get install -y nomad-driver-podman
Install yum-config-manager to manage your repositories.
$ sudo yum install -y yum-utils
Use yum-config-manager to add the official HashiCorp Linux repository.
$ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
Install.
$ sudo yum -y install nomad-driver-podman
The example job created by nomad init -short is easily adapted
to use Podman instead:
job "redis" {
group "cache" {
network {
port "redis" { to = 6379 }
}
task "redis" {
driver = "podman"
config {
image = "docker.io/library/redis:7"
ports = ["redis"]
}
}
}
}Refer to the project's homepage for details.
The Podman task driver is not built into Nomad. It must be downloaded onto the client host in the configured plugin directory.
- Linux host with
podmaninstalled - For rootless containers you need a system supporting cgroups v2 and a few other things, follow this tutorial.
You need a v3.x or higher podman binary and a system socket [activation unit] rest_api. It is recommended to install podman via your system's package manager, which will configure systemd for you.
Ensure that Nomad can find the plugin, refer to plugin_dir.
The podman driver implements the following capabilities.
| Feature | Implementation |
|---|---|
nomad alloc signal |
true |
nomad alloc exec |
true |
| filesystem isolation | image |
| network isolation | host, group, task, none |
| volume mounting | true |
-
args- (Optional) A list of arguments to the optional command. If nocommandis specified, the arguments are passed directly to the container.config { args = [ "arg1", "arg2", ] }
-
auth- (Optional) Authenticate to the image registry using a static credential. By setting tlsVerify to false the driver will allow using self- signed certificates or plain HTTP connections to the registry.config { image = "your.registry.tld/some/image" auth { username = "someuser" password = "sup3rs3creT" tlsVerify = false } }
-
cap_add- (Optional) A list of Linux capabilities as strings to pass to--cap-add.config { cap_add = [ "SYS_TIME" ] }
-
cap_drop- (Optional) A list of Linux capabilities as strings to pass to--cap-drop.config { cap_drop = [ "MKNOD" ] }
-
command- (Optional) The command to run when starting the container.config { command = "some-command" }
-
devices- (Optional) A list ofhost-device[:container-device][:permissions]definitions. Each entry adds a host device to the container. Optional permissions can be used to specify device permissions, it is a combination ofrfor read,wfor write, andmformknod(2). Refer to Podman's documentation for more details.config { devices = [ "/dev/net/tun" ] }
-
entrypoint- (Optional) The entrypoint for the container. Defaults to theentrypointset in the image.config { entrypoint = "/entrypoint.sh" }
-
force_pull- (Optional)trueorfalse(default). Always pull the latest image on container start.config { force_pull = true }
-
hostname- (Optional) The hostname to assign to the container. When launching more than one of a task (usingcount) with this option set, every container the task starts will have the same hostname. -
image- The image to run. Accepted transports aredocker(default if missing),oci-archiveanddocker-archive. Images referenced as short-names will be treated according to user-configured preferences.config { image = "docker://redis" }
-
extra_hosts- (Optional) Set additional hosts in the containerconfig { extra_hosts = ["test4.localhost:127.0.0.2", "test6.localhost:[::1]"] }
-
image_pull_timeout- (Optional) Time duration for your pull timeout (default to"5m"). Cannot be longer than theclient_http_timeout.config { image_pull_timeout = "5m" }
-
init- (Optional) Run aninitinside the container that forwards signals and reaps processes.config { init = true }
-
init_path- (Optional) Path to thecontainer-initbinary.config { init = true init_path = "/usr/libexec/podman/catatonit" }
-
labels- (Optional) Set labels on the container.config { labels = { "nomad" = "job" } }
-
logging- (Optional) Configure logging. Also refer to the plugin optiondisable_log_collection.driver = "nomad"- (Default) Podman redirects its combinedstdout/stderrlogstream directly to a Nomadfifo. Benefits of this mode are: zero overhead, don't have to worry about log rotation at system or Podman level. Downside: you cannot easily ship the logstream to a log aggregator plusstdout/stderris multiplexed into a single stream.
config { logging = { driver = "nomad" } }
driver = "journald"- The container log is forwarded from Podman to thejournaldon your host. Next, it's pulled by the Podman API back from the journal into the Nomadfifo(controllable bydisable_log_collection). Benefits: all containers can log into the host journal, you can ship a structured stream including metadata to your log aggregator. No log rotation at Podman level. You can add additional tags to the journal. Drawbacks: a bit more overhead, depends on Journal (will not work on WSL2). You should configure some rotation policy for your Journal. Ensure you're running Podman 3.1.0 or higher because of bugs in older versions.
config { logging = { driver = "journald" options = [ { "tag" = "redis" } ] } }
-
memory_reservation- (Optional) Memory soft limit (units =b(bytes),k(kilobytes),m(megabytes), org(gigabytes)).After setting memory reservation, when the system detects memory contention or low memory, containers are forced to restrict their consumption to their reservation. So you should always set the value below
--memory, otherwise the hard limit will take precedence. By default, memory reservation will be the same as memory limit.config { memory_reservation = "100m" }
-
memory_swap- (Optional) A limit value equal to memory plus swap. The swap limit should always be larger than the memory value. Unit can beb(bytes),k(kilobytes),m(megabytes), org(gigabytes). If you don't specify a unit,bis used. SetLIMITto-1to enable unlimited swap.config { memory_swap = "180m" }
-
memory_swappiness- Tune a container's memory swappiness behavior. Accepts an integer between0and100.config { memory_swappiness = 60 }
-
network_mode- (Optional) Set the network mode for the container. By default the task uses the network stack defined in the task groupnetworkblock. If the groups network behavior is also undefined, it will fallback tobridgein rootful mode orslirp4netnsfor rootless containers.bridge- (Default for rootful) Create a network stack on the default Podman bridge.container:id- Reuse another container's network stack.host- Use the Podman host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.none- No networking.slirp4netns- (Default for rootless) Useslirp4netnsto create a user network stack. Podman currently does not support this option for rootful containers (issue).task:name-of-other-task: Join the network of another task in the same allocation.
config { network_mode = "bridge" }
-
ports- (Optional) Forward and expose ports. Refer to Docker driver configuration for details. -
privileged- (Optional)trueorfalse(default). A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled. -
readonly_rootfs- (Optional)trueorfalse(default). Mount the rootfs as read-only.config { readonly_rootfs = true }
-
sysctl- (Optional) A key-value map ofsysctlconfigurations to set to the containers on start.config { sysctl = { "net.core.somaxconn" = "16384" } }
-
tmpfs- (Optional) A list of/container_pathstrings fortmpfsmount points. Refer topodman run --tmpfsoptions for details.config { tmpfs = [ "/var" ] }
-
tty- (Optional)trueorfalse(default). Allocate a pseudo-TTY for the container. -
volumes- (Optional) A list ofhost_path:container_path:optionsstrings to bind host paths to container paths. Named volumes are not supported.config { volumes = [ "/some/host/data:/container/data:ro,noexec" ] }
-
working_dir- (Optional) The working directory for the container. Defaults to the default set in the image.config { working_dir = "/data" }
-
ulimit- (Optional) A key-value map of ulimit configurations to set to the containers to start.config { ulimit { nproc = "4242" nofile = "2048:4096" } }
Additionally, the Podman driver supports customization of the container's user
through the task's user option.
Nomad lifecycle hooks combined with the drivers
network_mode allows very flexible network namespace definitions. This
feature does not build upon the native Podman pod structure but simply reuses
the networking namespace of one container for other tasks in the same group.
A typical example is a network server and a metric exporter or log shipping
sidecar. The metric exporter needs access to a private monitoring port which
should not be exposed to the network and thus is usually bound to localhost.
The nomad-driver-podman repository includes three different
examples jobs for such a setup. All of them will start a
nats server and a
prometheus-nats-exporter
using different approaches.
You can use curl to prove that the job is working correctly and that you can
get Prometheus metrics:
$ curl http://your-machine:7777/metrics
Reference examples/jobs/nats_simple_pod.nomad.
Here, the server task is started as main workload and the exporter runs as
a poststart sidecar. Because of that, Nomad guarantees that the server is
started first and thus the exporter can easily join the servers network
namespace via network_mode = "task:server".
Note, that the server configuration file binds the http_port to
localhost.
Be aware that ports must be defined in the parent network namespace, here
server.
Reference examples/jobs/nats_pod.nomad.
A slightly different setup is demonstrated in this job. It reassembles more
closesly the idea of a pod by starting a pause task, named pod via a
prestart sidecar hook.
Next, the main workload, server is started and joins the network namespace by
using the network_mode = "task:pod" block. Finally, Nomad starts the
poststart sidecar exporter which also joins the network.
Note that all ports must be defined on the pod level.
Reference examples/jobs/nats_group.nomad.
This example is very different. Both server and exporter join a network
namespace which is created and managed by Nomad itself. Refer to Nomad's
network block to get started with this generic approach.
The Podman plugin has options which may be customized in the agent's configuration file.
-
disable_log_collection(bool: false)- Setting this totruewill disable Nomad logs collection of Podman tasks. If you don't rely on Nomad log capabilities and exclusively use host based log aggregation, you may consider this option to disable Nomad log collection overhead. Beware that you also lose automatic log rotation.plugin "nomad-driver-podman" { config { disable_log_collection = false } }
-
gcblock:container- Defaults totrue. This option can be used to disable Nomad from removing a container when the task exits.
plugin "nomad-driver-podman" { config { gc { container = false } } }
-
recover_stopped- (Deprecated) Defaults tofalse. Allows the driver to start and reuse a previously stopped container after a Nomad client restart. Consider a simple single node system and a complete reboot. All previously managed containers will be reused instead of disposed and recreated.!> This option may cause Nomad client to hang on startup. It now defaults to being disabled and may be removed in a future release.
plugin "nomad-driver-podman" { config { recover_stopped = false } }
-
socket_path(string)- Defaults tounix://run/podman/io.podmanwhen running asrootor a cgroup V1 system, andunix://run/user/<USER_ID>/podman/io.podmanfor rootless cgroup V2 systems. -
disable_log_collection(bool: false)- Setting this totruewill disable Nomad logs collection of Podman tasks. If you don't rely on Nomad log capabilities and exclusively use host based log aggregation, you may consider this option to disable Nomad log collection overhead. Beware to you also lose automatic log rotation.plugin "nomad-driver-podman" { config { disable_log_collection = false } }
-
client_http_timeout(string: "60s")- Default timeout used byhttp.Clientrequests.plugin "nomad-driver-podman" { config { client_http_timeout = "60s" } }
-
volumesblock:enabled- Defaults totrue. Allows tasks to bind host paths (volumes) inside their container.selinuxlabel- Allows the operator to set a SELinux label to the allocation and task local bind-mounts to containers. If used withvolumes.enabledset to false, the labels will still be applied to the standard binds in the container.
plugin "nomad-driver-podman" { config { volumes { enabled = true selinuxlabel = "z" } } }