HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Nomad
Nomad Home

You are viewing documentation for pre-release version v1.11.0 (beta). View latest version.

Use the Isolated Fork/Exec task driver in a job

Name: exec

The exec driver is used to execute a particular command for a task. However, unlike raw_exec it uses the underlying isolation primitives of the operating system to limit the task's access to resources. While simple, since the exec driver can invoke any command, it can be used to call scripts or other wrappers which provide higher level features.

Refer to Configure the Isolated Fork/Exec task driver for capabilities, client requirements, and plugin configuration.

Task Configuration

task "webservice" {
  driver = "exec"

  config {
    command = "my-binary"
    args    = ["-flag", "1"]
  }
}

The exec driver supports the following configuration in the job spec:

  • command - The command to execute. Must be provided. If executing a binary that exists on the host, the path must be absolute and within the task's chroot or in a host volume mounted with a volume_mount block. The driver will make the binary executable and will search, in order:

    • The local directory with the task directory.
    • The task directory.
    • Any mounts, in the order listed in the job specification.
    • The usr/local/bin, usr/bin and bin directories inside the task directory.

    If executing a binary that is downloaded from an artifact, the path can be relative from the allocation's root directory.

  • args - (Optional) A list of arguments to the command. References to environment variables or any interpretable Nomad variables will be interpreted before launching the task.

  • pid_mode - (Optional) Set to "private" to enable PID namespace isolation for this task, or "host" to disable isolation. If left unset, the behavior is determined from the default_pid_mode in plugin configuration.

Warning: If set to "host", other processes running as the same user will be able to access sensitive process information like environment variables.

  • ipc_mode - (Optional) Set to "private" to enable IPC namespace isolation for this task, or "host" to disable isolation. If left unset, the behavior is determined from the default_ipc_mode in plugin configuration.

Warning: If set to "host", other processes running as the same user will be able to make use of IPC features, like sending unexpected POSIX signals.

  • cap_add - (Optional) A list of Linux capabilities to enable for the task. Effective capabilities (computed from cap_add and cap_drop) must be a subset of the allowed capabilities configured with allow_caps. Note that "all" is not permitted here if the allow_caps field in the driver configuration doesn't also allow all capabilities.
config {
  cap_add = ["net_raw", "sys_time"]
}
  • cap_drop - (Optional) A list of Linux capabilities to disable for the task. Effective capabilities (computed from cap_add and cap_drop) must be a subset of the allowed capabilities configured with allow_caps.
config {
  cap_drop = ["all"]
  cap_add  = ["chown", "sys_chroot", "mknod"]
}
  • work_dir - (Optional) Sets a custom working directory for the task. This path must be absolute and within the task's chroot or in a host volume mounted with a volume_mount block. This will also change the working directory when using nomad alloc exec.

Examples

To run a binary present on the Node:

task "example" {
  driver = "exec"

  config {
    # When running a binary that exists on the host, the path must be absolute.
    command = "/bin/sleep"
    args    = ["1"]
  }
}

To execute a binary downloaded from an artifact:

task "example" {
  driver = "exec"

  config {
    command = "name-of-my-binary"
  }

  artifact {
    source = "https://internal.file.server/name-of-my-binary"
    options {
      checksum = "sha256:abd123445ds4555555555"
    }
  }
}