Hashicorp Nomad driver plugin using firejail to execute tasks.
Clone repository
git clone git@github.com:msuarezd/nomad-plugin-firejail.git
Enter the repository directory and run make
cd nomad-plugin-firejail
make
You can configure the path to the firejail binary:
plugin "firejail" {
config {
firejail_path = "path/to/firejail"
}
}
If not configured, nomad will look for it in the standard path.
group "example" {
task "dummy" {
driver = "firejail"
config {
options = ["-firejail", "-commandline", "-options"]
command = "/bin/command"
args = ["-option1", "option2"]
}
}
}
As firejail supports profiles, it is recommendable you write a profile for your applications and download it as artifact:
artifact {
source = "https://example.com/your_app_profile"
destination = "local/firejail.profile"
mode = "file"
}
Then you can specify it using options:
options = ["--profile", "local/firejail.profile"]
Firejail allows to isolate the running environment of your jobs using all usual linux kernel features (namespaces, seccomp-bpf, capabilities) without having to use a (docker) container image. It is lightweight and can work wit SELinux or Apparmor. This allows you to do the same as the raw_exec or exec driver (without the chroot overhead) and with flexibility in the way you want to secure the running environment of your task.
For more information on firejail see the firejail documentation. Firejail is included in all major linux distributions.