{"id":22412364,"url":"https://github.com/hashicorp/nomad-driver-podman","last_synced_at":"2026-05-29T06:02:01.897Z","repository":{"id":37380169,"uuid":"195635343","full_name":"hashicorp/nomad-driver-podman","owner":"hashicorp","description":"A nomad task driver plugin for sandboxing workloads in podman containers","archived":false,"fork":false,"pushed_at":"2026-05-26T04:45:39.000Z","size":11572,"stargazers_count":20,"open_issues_count":39,"forks_count":7,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-05-26T06:09:33.820Z","etag":null,"topics":["containers","dockerless","nomad","nomad-podman-driver","podman","sandbox"],"latest_commit_sha":null,"homepage":"https://developer.hashicorp.com/nomad/plugins/drivers/podman","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hashicorp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-07-07T09:54:48.000Z","updated_at":"2026-05-20T05:37:47.000Z","dependencies_parsed_at":"2026-04-09T06:02:13.206Z","dependency_job_id":null,"html_url":"https://github.com/hashicorp/nomad-driver-podman","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/hashicorp/nomad-driver-podman","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fnomad-driver-podman","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fnomad-driver-podman/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fnomad-driver-podman/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fnomad-driver-podman/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hashicorp","download_url":"https://codeload.github.com/hashicorp/nomad-driver-podman/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fnomad-driver-podman/sbom","scorecard":{"id":383909,"data":{"date":"2025-08-11","repo":{"name":"github.com/hashicorp/nomad-driver-podman","commit":"48f25d25e296f482ca7ceaf3d51f4494864a709c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.3,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"14 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/jira-sync.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/nightly-release.yml:125","Warn: no topLevel permission defined: .github/workflows/tests.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":7,"reason":"dependency not pinned by hash detected -- score normalized to 7","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/hashicorp/nomad-driver-podman/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/hashicorp/nomad-driver-podman/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/hashicorp/nomad-driver-podman/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/tests.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/hashicorp/nomad-driver-podman/tests.yml/main?enable=pin","Info:  12 out of  12 GitHub-owned GitHubAction dependencies pinned","Info:   9 out of  13 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Mozilla Public License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact nightly not signed: https://api.github.com/repos/hashicorp/nomad-driver-podman/releases/68618469","Warn: release artifact nightly does not have provenance: https://api.github.com/repos/hashicorp/nomad-driver-podman/releases/68618469"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":6,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Info: 'last push approval' is required to merge on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/hashicorp/.github/SECURITY.md:1","Info: Found linked content: github.com/hashicorp/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/hashicorp/.github/SECURITY.md:1","Info: Found text in security policy: github.com/hashicorp/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T16:08:09.201Z","repository_id":37380169,"created_at":"2025-08-18T16:08:09.201Z","updated_at":"2025-08-18T16:08:09.201Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33639055,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","dockerless","nomad","nomad-podman-driver","podman","sandbox"],"created_at":"2024-12-05T14:08:14.817Z","updated_at":"2026-05-29T06:01:59.848Z","avatar_url":"https://github.com/hashicorp.png","language":"Go","funding_links":[],"categories":["Plugins"],"sub_categories":["User Interfaces and Dashboards"],"readme":"Nomad podman Driver\n==================\n\n![](https://github.com/hashicorp/nomad-driver-podman/workflows/build/badge.svg)\n\nMany thanks to [@towe75](https://github.com/towe75) and [Pascom](https://www.pascom.net/) for contributing\nthis plugin to Nomad!\n\n## Features\n\n* Use the jobs driver config to define the image for your container\n* Start/stop containers with default or customer entrypoint and arguments\n* [Nomad runtime environment](https://www.nomadproject.io/docs/runtime/environment.html) is populated\n* Use Nomad alloc data in the container.\n* Bind mount custom volumes into the container\n* Publish ports\n* Monitor the memory consumption\n* Monitor CPU usage\n* Task config cpu value is used to populate podman CpuShares\n* Task config cores value is used to populate podman Cpuset\n* Container log is forwarded to [Nomad logger](https://www.nomadproject.io/docs/commands/alloc/logs.html)\n* Utilize podmans --init feature\n* Set username or UID used for the specified command within the container (podman --user option).\n* Fine tune memory usage: standard [Nomad memory resource](https://www.nomadproject.io/docs/job-specification/resources.html#memory) plus additional driver specific swap, swappiness and reservation parameters, OOM handling\n* Supports both rootful and rootless podman sockets with cgroup V2\n* Set DNS servers, searchlist and options via [Nomad dns parameters](https://www.nomadproject.io/docs/job-specification/network#dns-parameters)\n* Support for nomad shared network namespaces and consul connect\n* Quite flexible [network configuration](#network-configuration), allows to simply build pod-like structures within a nomad group\n\n## Redis Example job\n\nHere is a simple redis \"hello world\" Example:\n\n```hcl\njob \"redis\" {\n  datacenters = [\"dc1\"]\n  type        = \"service\"\n\n  group \"redis\" {\n    network {\n      port \"redis\" { to = 6379 }\n    }\n\n    task \"redis\" {\n      driver = \"podman\"\n\n        config {\n          image = \"docker://redis\"\n          ports = [\"redis\"]\n        }\n\n      resources {\n        cpu    = 500\n        memory = 256\n      }\n    }\n  }\n}\n```\n\n```sh\nnomad run redis.nomad\n\n==\u003e Monitoring evaluation \"9fc25b88\"\n    Evaluation triggered by job \"redis\"\n    Allocation \"60fdc69b\" created: node \"f6bccd6d\", group \"redis\"\n    Evaluation status changed: \"pending\" -\u003e \"complete\"\n==\u003e Evaluation \"9fc25b88\" finished with status \"complete\"\n\npodman ps\n\nCONTAINER ID  IMAGE                           COMMAND               CREATED         STATUS             PORTS  NAMES\n6d2d700cbce6  docker.io/library/redis:latest  docker-entrypoint...  16 seconds ago  Up 16 seconds ago         redis-60fdc69b-65cb-8ece-8554-df49321b3462\n```\n\n## Building The Driver from source\n\nThis project has a `go.mod` definition. So you can clone it to whatever directory you want.\nIt is not necessary to setup a go path at all.\nEnsure that you use go 1.17 or newer.\n\n```shell-session\ngit clone git@github.com:hashicorp/nomad-driver-podman\ncd nomad-driver-podman\nmake dev\n```\n\nThe compiled binary will be located at `./build/nomad-driver-podman`.\n\n## Runtime dependencies\n\n* [Nomad](https://www.nomadproject.io/downloads.html) 0.12.9+\n* Linux host with `podman` installed\n* For rootless containers you need a system supporting cgroup V2 and a few other things, follow [this tutorial](https://github.com/containers/libpod/blob/master/docs/tutorials/rootless_tutorial.md)\n\nYou need a 3.0.x podman binary and a system socket activation unit,\nsee \u003chttps://www.redhat.com/sysadmin/podmans-new-rest-api\u003e\n\nNomad agent, nomad-driver-podman and podman will reside on the same host, so you\ndo not have to worry about the ssh aspects of the podman api.\n\nEnsure that Nomad can find the plugin, see [plugin_dir](https://www.nomadproject.io/docs/configuration/index.html#plugin_dir)\n\n## Driver Configuration\n\n* volumes stanza:\n\n  * enabled - Defaults to true. Allows tasks to bind host paths (volumes) inside their container.\n  * selinuxlabel - Allows the operator to set a SELinux label to the allocation and task local bind-mounts to containers. If used with _volumes.enabled_ set to false, the labels will still be applied to the standard binds in the container.\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    volumes {\n      enabled      = true\n      selinuxlabel = \"z\"\n    }\n  }\n}\n```\n\n* gc stanza:\n\n  * container - Defaults to true. This option can be used to disable Nomad from removing a container when the task exits.\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    gc {\n      container = false\n    }\n  }\n}\n```\n\n* recover_stopped (bool) Defaults to false. Allows the driver to start and reuse a previously stopped container after\n  a Nomad client restart.\n  Consider a simple single node system and a complete reboot. All previously managed containers\n  will be reused instead of disposed and recreated.\n\n  WARNING - use of recover_stopped may cause Nomad agent to not start on system restarts. This setting has been left in place for compatibility.\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    recover_stopped = true\n  }\n}\n```\n\n* socket_path (string) Defaults to `\"unix:///run/podman/podman.sock\"` when running as root or a cgroup V1 system, and `\"unix:///run/user/\u003cUSER_ID\u003e/podman/podman.sock\"` for rootless cgroup V2 systems. Mutually exclusive with `socket` block.\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    socket_path = \"unix:///run/podman/podman.sock\"\n  }\n}\n```\n\n* socket block: Configures a single podman socket. You can define multiple `socket` blocks if you need to use multiple podman sockets (for example, rootless vs rootful sockets). Mutually exclusive with the top-level `plugin.config.socket_path` option.\n\n  * name: Defaults to \"default\". If tasks don't mention a socket, the default socket is used.\n  * socket_path: Path to the socket.\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    socket {\n      name = \"default\"\n      socket_path = \"unix://run/user/1000/podman/podman.sock\"\n    }\n    socket {\n      name = \"app1\"\n      socket_path = \"unix://run/user/1337/podman/podman.sock\"\n    }\n  }\n}\n```\n\n* disable_log_collection (string) Defaults to `false`. Setting this to `true` will disable Nomad logs collection of Podman tasks. If you don't rely on nomad log capabilities and exclusively use host based log aggregation, you may consider this option to disable nomad log collection overhead. Beware to you also loose automatic log rotation.\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    disable_log_collection = false\n  }\n}\n```\n\n* extra_labels ([]string) Defaults to `[]`. Setting this will automatically append Nomad-related labels to Podman tasks. Supports glob matching such as `task*`. Possible values are:\n\n```\njob_name\njob_id\ntask_group_name\ntask_name\nnamespace\nnode_name\nnode_id\n```\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    extra_labels = [\"job_name\", \"job_id\", \"task_group_name\", \"task_name\", \"namespace\", \"node_name\", \"node_id\"]\n  }\n}\n```\n\n* logging stanza:\n\n  * type - Defaults to `\"nomad\"`. See the task configuration for details.\n  * options - Defaults to `{}`. See the task configuration for details.\n\n* client_http_timeout (string) Defaults to `60s` default timeout used by http.Client requests\n\n```hcl\nplugin \"nomad-driver-podman\" {\n  config {\n    client_http_timeout = \"60s\"\n  }\n```\n\n## Task Configuration\n\n* **image** - The image to run. Accepted transports are `docker` (default if missing), `oci-archive` and `docker-archive`. Images reference as [short-names](https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md#short-name-aliasing) will be treated according to user-configured preferences.\n\n```hcl\nconfig {\n  image = \"docker://redis\"\n}\n```\n\n* **auth** - (Optional) Authenticate to the image registry using a static credential. `tls_verify` can be disabled for insecure registries.\n\n```hcl\nconfig {\n  image = \"your.registry.tld/some/image\"\n  auth {\n    username   = \"someuser\"\n    password   = \"sup3rs3creT\"\n    tls_verify = true\n  }\n}\n```\n\n* **entrypoint** - (Optional) A string list overriding the image's entrypoint. Defaults to the entrypoint set in the image.\n\n```hcl\nconfig {\n  entrypoint = [\n    \"/bin/bash\",\n    \"-c\"\n  ]\n}\n```\n\n* **command** - (Optional) The command to run when starting the container.\n\n```hcl\nconfig {\n  command = \"some-command\"\n}\n```\n\n* **args** - (Optional) A list of arguments to the optional command. If no _command_ is specified, the arguments are passed directly to the container.\n\n```hcl\nconfig {\n  args = [\n    \"arg1\",\n    \"arg2\",\n  ]\n}\n```\n\n* **working_dir** - (Optional) The working directory for the container. Defaults to the default set in the image.\n\n```hcl\nconfig {\n  working_dir = \"/data\"\n}\n```\n\n* **volumes** - (Optional) A list of host_path:container_path:options strings to bind host paths to container paths. Named volumes are not supported.\n\n```hcl\nconfig {\n  volumes = [\n    \"/some/host/data:/container/data:ro,noexec\"\n  ]\n}\n```\n\n* **tmpfs** - (Optional) A list of /container_path strings for tmpfs mount points. See podman run --tmpfs options for details.\n\n```hcl\nconfig {\n  tmpfs = [\n    \"/var\"\n  ]\n}\n```\n\n* **devices** - (Optional) A list of `host-device[:container-device][:permissions]` definitions.\nEach entry adds a host device to the container. Optional permissions can be used to specify device permissions, it is combination of r for read, w for write, and m for mknod(2). See podman documentation for more details.\n\n```hcl\nconfig {\n  devices = [\n    \"/dev/net/tun\"\n  ]\n}\n```\n\n* **hostname** -  (Optional) The hostname to assign to the container. When launching more than one of a task (using count) with this option set, every container the task starts will have the same hostname.\n\n* **Forwarding and Exposing Ports** - (Optional) See [Docker Driver Configuration](https://www.nomadproject.io/docs/drivers/docker.html#forwarding-and-exposing-ports) for details.\n\n* **init** - Run an init inside the container that forwards signals and reaps processes.\n\n```hcl\nconfig {\n  init = true\n}\n```\n\n* **init_path** - Path to the container-init binary.\n\n```hcl\nconfig {\n  init = true\n  init_path = /usr/libexec/podman/catatonit\n}\n```\n\n* **user** - Run the command as a specific user/uid within the container. See [Task configuration](https://www.nomadproject.io/docs/job-specification/task.html#user)\n\n```hcl\nuser = nobody\n\nconfig {\n}\n\n```\n\n* **logging** - Configure logging. See also plugin option **disable_log_collection**\n\n`driver = \"nomad\"` (default) Podman redirects its combined stdout/stderr logstream directly to a Nomad fifo.\nBenefits of this mode are: zero overhead, don't have to worry about log rotation at system or Podman level. Downside: you cannot easily ship the logstream to a log aggregator plus stdout/stderr is multiplexed into a single stream..\n\n```hcl\nconfig {\n  logging = {\n    driver = \"nomad\"\n  }\n}\n```\n\n`driver = \"journald\"` The container log is forwarded from Podman to the journald on your host. Next, it's pulled by the Podman API back from the journal into the Nomad fifo (controllable by **disable_log_collection**)\nBenefits: all containers can log into the host journal, you can ship a structured stream incl. metadata to your log aggregator. No log rotation at Podman level. You can add additional tags to the journal.\nDrawbacks: a bit more overhead, depends on Journal (will not work on WSL2). You should configure some rotation policy for your Journal.\nEnsure you're running Podman 3.1.0 or higher because of bugs in older versions.\n\n```hcl\nconfig {\n  logging = {\n    driver = \"journald\"\n    options = {\n      \"tag\" = \"redis\"\n    }\n  }\n}\n```\n\n* **memory_reservation** - Memory soft limit (nit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes))\n\nAfter setting memory reservation, when the system detects memory contention or low memory, containers are forced to restrict their consumption to their reservation. So you should always set the value below --memory, otherwise the hard limit will take precedence. By default, memory reservation will be the same as memory limit.\n\n```hcl\nconfig {\n  memory_reservation = \"100m\"\n}\n```\n\n* **memory_swap** - A limit value equal to memory plus swap. The swap LIMIT should always be larger than the [memory value](https://www.nomadproject.io/docs/job-specification/resources.html#memory).\n\nUnit can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a unit, b is used. Set LIMIT to -1 to enable unlimited swap.\n\n```hcl\nconfig {\n  memory_swap = \"180m\"\n}\n```\n\n* **memory_swappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.\n\n```hcl\nconfig {\n  memory_swappiness = 60\n}\n```\n\n* **network_mode** - Set the [network mode](http://docs.podman.io/en/latest/markdown/podman-run.1.html#options) for the container.\n\nBy default the task uses the network stack defined in the task group, see [network Stanza](https://www.nomadproject.io/docs/job-specification/network). If the groups network behavior is also undefined, it will fallback to `bridge` in rootful mode, `slirp4netns` for rootless containers on Podman \u003c5.0.0, or `pasta` for rootless containers on Podman \u003e=5.0.0.\n\n* `bridge`: create a network stack on the default podman bridge.\n* `none`: no networking\n* `host`: use the Podman host network stack. Note: the host mode gives the\n  container full access to local system services such as D-bus and is therefore\n  considered insecure\n* `pasta`: use `pasta` to create a userspace network stack. This is the default\n  for rootless containers on Podman \u003e=5.0.0. Podman currently does not support it for\n  rootful containers: [issue](https://github.com/containers/podman/issues/17840).\n* `slirp4netns`: use `slirp4netns` to create a user network stack. This is the\n  default for rootless containers on Podman \u003c5.0.0. Podman currently does not support\n  it for root containers [issue](https://github.com/containers/libpod/issues/6097).\n* `container:id`: reuse another podman containers network stack\n* `task:name-of-other-task`: join the network of another task in the same allocation.\n\n```hcl\nconfig {\n  network_mode = \"bridge\"\n}\n```\n\n* **oom_score_adj** - Set the [--oom-score-adj](https://docs.podman.io/en/latest/markdown/podman-run.1.html#oom-score-adj-num) for the container\n\nTune the host’s OOM preferences for containers (accepts values from -1000 to 1000).\n\n```hcl\nconfig {\n  oom_score_adj = \"-1000\"\n}\n```\n\n* **socket** - (Optional) The name of the socket as defined in the socket block in the client agent's plugin configuration. Defaults to the socket named \"default\".\n\n```hcl\nconfig {\n  socket = \"app1\"\n}\n```\n\n* **cap_add** - (Optional)  A list of Linux capabilities as strings to pass to --cap-add.\n\n```hcl\nconfig {\n  cap_add = [\n    \"SYS_TIME\"\n  ]\n}\n```\n\n* **cap_drop** - (Optional)  A list of Linux capabilities as strings to pass to --cap-drop.\n\n```hcl\nconfig {\n  cap_add = [\n    \"MKNOD\"\n  ]\n}\n```\n\n* **security_opt** - (Optional)  A list of security-related options that are set in the container.\n\n```hcl\nconfig {\n  security_opt = [\n    \"no-new-privileges\"\n  ]\n}\n```\n\n* **selinux_opts** - (Optional)  A list of process labels the container will use.\n\n```\nconfig {\n  selinux_opts = [\n    \"type:my_container.process\"\n  ]\n}\n```\n\n* **sysctl** - (Optional)  A key-value map of sysctl configurations to set to the containers on start.\n\n```hcl\nconfig {\n  sysctl = {\n    \"net.core.somaxconn\" = \"16384\"\n  }\n}\n```\n\n* **privileged** - (Optional)  true or false (default). A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled.\n\n* **tty** - (Optional)  true or false (default). Allocate a pseudo-TTY for the container.\n\n* **labels** - (Optional)  Set labels on the container.\n\n```hcl\nconfig {\n  labels = {\n    \"nomad\" = \"job\"\n  }\n}\n```\n\n* **apparmor_profile** - (Optional) Name of a apparmor profile to be used instead of the default profile. The special value `unconfined` disables apparmor for this container:\n\n```\nconfig {\n  apparmor_profile = \"your-profile\"\n}\n```\n\n* **force_pull** - (Optional)  true or false (default). Always pull the latest image on container start.\n\n```hcl\nconfig {\n  force_pull = true\n}\n```\n\n* **readonly_rootfs** - (Optional)  true or false (default). Mount the rootfs as read-only.\n\n```hcl\nconfig {\n  readonly_rootfs = true\n}\n```\n\n* **ulimit** - (Optional) A key-value map of ulimit configurations to set to the containers to start.\n\n```hcl\nconfig {\n  ulimit {\n    nproc = \"4242\"\n    nofile = \"2048:4096\"\n  }\n```\n\n* **userns** - (Optional) Set the [user namespace mode](https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode) for the container.\n\n```hcl\nconfig {\n  userns = \"keep-id:uid=200,gid=210\"\n}\n```\n\n* **pids_limit** - (Optional) An integer value that specifies the pid limit for the container.\n\n```hcl\nconfig {\n  pids_limit = 64\n}\n```\n\n* **image_pull_timeout** - (Optional) time duration for your pull timeout (default to 5m).\n\n```\nconfig {\n  image_pull_timeout = \"5m\"\n}\n```\n\n## Network Configuration\n\n[nomad lifecycle hooks](https://www.nomadproject.io/docs/job-specification/lifecycle) combined with the drivers `network_mode` allows very flexible network namespace definitions. This feature does not build upon the native podman pod structure but simply reuses the networking namespace of one container for other tasks in the same group.\n\nA typical example is a network server and a metric exporter or log shipping sidecar. The metric exporter needs access to i.E. a private monitoring Port which should not be exposed the the network and thus is usually bound to localhost.\n\nThe repository includes three different examples jobs for such a setup. All of them will start a [nats](https://nats.io/) server and a [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter) using different approaches.\n\nYou can use `curl` to proof that the job is working correctly and that you can get prometheus metrics:\n\n`curl http://your-machine:7777/metrics`\n\n### 2 Task setup, server defines the network\n\nSee `examples/jobs/nats_simple_pod.nomad`\n\nHere, the _server_ task is started as main workload and the _exporter_ runs as a poststart sidecar.\nBecause of that, Nomad guarantees that the server is started first and thus the exporter can\neasily join the servers network namespace via `network_mode = \"task:server\"`.\n\nNote, that the _server_ configuration file binds the _http_port_ to localhost.\n\nBe aware that ports must be defined in the parent network namespace, here _server_.\n\n### 3 Task setup, a pause container defines the network\n\nSee `examples/jobs/nats_pod.nomad`\n\nA slightly different setup is demonstrated in this job. It reassembles more closely the idea of a _pod_ by starting a\npause task, named _pod_ via a prestart/sidecar [hook](https://www.nomadproject.io/docs/job-specification/lifecycle).\n\nNext, the main workload, _server_ is started and joins the network namespace by using the `network_mode = \"task:pod\"` stanza.\nFinally, Nomad starts the poststart/sidecar _exporter_ which also joins the network.\n\nNote that all ports must be defined on the _pod_ level.\n\n### 2 Task setup, shared Nomad network namespace\n\nSee `examples/jobs/nats_group.nomad`\n\nThis example is very different. Both _server_ and _exporter_ join a network namespace which is created and managed\nby Nomad itself. See [nomad network stanza](https://www.nomadproject.io/docs/job-specification/network) to get started with this generic approach.\n\n## Rootless on ubuntu\n\nedit `/etc/default/grub` to enable cgroups v2\n\n```sh\nGRUB_CMDLINE_LINUX_DEFAULT=\"quiet cgroup_enable=memory swapaccount=1 systemd.unified_cgroup_hierarchy=1\"\n```\n\n`sudo update-grub`\n\nensure that podman socket is running\n\n```console\n$ systemctl --user status podman.socket\n* podman.socket - Podman API Socket\n     Loaded: loaded (/usr/lib/systemd/user/podman.socket; disabled; vendor preset: disabled)\n     Active: active (listening) since Sat 2020-10-31 19:21:29 CET; 22h ago\n   Triggers: * podman.service\n       Docs: man:podman-system-service(1)\n     Listen: /run/user/1000/podman/podman.sock (Stream)\n     CGroup: /user.slice/user-1000.slice/user@1000.service/podman.socket\n```\n\nensure that you have a recent version of [crun](https://github.com/containers/crun/)\n\n```console\n$ crun -V\ncrun version 0.13.227-d38b\ncommit: d38b8c28fc50a14978a27fa6afc69a55bfdd2c11\nspec: 1.0.0\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL\n```\n\n`nomad job run example.nomad`\n\n```hcl\njob \"example\" {\n  datacenters = [\"dc1\"]\n  type        = \"service\"\n\n  group \"cache\" {\n    count = 1\n    restart {\n      attempts = 2\n      interval = \"30m\"\n      delay    = \"15s\"\n      mode     = \"fail\"\n    }\n    network {\n      port \"redis\" { to = 6379 }\n    }\n    task \"redis\" {\n      driver = \"podman\"\n\n      config {\n        image = \"redis\"\n        ports = [\"redis\"]\n      }\n\n      resources {\n        cpu    = 500 # 500 MHz\n        memory = 256 # 256MB\n      }\n    }\n  }\n}\n```\n\nverify `podman ps`\n\n```console\n$ podman ps\nCONTAINER ID  IMAGE                           COMMAND       CREATED        STATUS            PORTS                                                 NAMES\n2423ae3efa21  docker.io/library/redis:latest  redis-server  7 seconds ago  Up 6 seconds ago  127.0.0.1:21510-\u003e6379/tcp, 127.0.0.1:21510-\u003e6379/udp  redis-b640480f-4b93-65fd-7bba-c15722886395\n```\n\n## Local Development\n\n### Requirements\n\n* Vagrant \u003e= 2.2\n* VirtualBox \u003e= v6.0\n\n### Vagrant Environment Setup\n\n```sh\n# create the vm\nvagrant up\n\n# ssh into the vm\nvagrant ssh\n````\n\nRunning a Nomad dev agent with the Podman plugin:\n\n```\n# Build the task driver plugin\nmake dev\n\n# Copy the build nomad-driver-plugin executable to examples/plugins/\ncp ./build/nomad-driver-podman examples/plugins/\n\n# Start Nomad\nnomad agent -config=examples/nomad/server.hcl 2\u003e\u00261 \u003e server.log \u0026\n\n# Run the client as sudo\nsudo nomad agent -config=examples/nomad/client.hcl 2\u003e\u00261 \u003e client.log \u0026\n\n# Run a job\nnomad job run examples/jobs/redis_ports.nomad\n\n# Verify\nnomad job status redis\n\nsudo podman ps\n```\n\nRunning the tests:\n\n```\n# Start the Podman server\nsystemctl --user start podman.socket\n\n# Run the tests\nCI=1 ./build/bin/gotestsum --junitfile ./build/test/result.xml -- -timeout=15m . ./api\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fnomad-driver-podman","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhashicorp%2Fnomad-driver-podman","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fnomad-driver-podman/lists"}