Cilium with nomad #12120
Comments
|
Hi @monwolf, I'm not too familiar with CNI or Cilium, but looking at the config parsing code we a logic to parse the file differently depending on the file extension: https://github.com/hashicorp/nomad/blob/v1.2.6/client/fingerprint/cni.go#L37-L57 From your error message it seems like you need to set your file extension as Give it a try like that and let us know how it goes 🙂 |
|
Hi @lgfa29 , I did the test again, now It fail during the allocation phase. During the start it load the cilium config but when I run the job it fails: This is the file: And this is the job definition: job "helloworld" {
region = "global"
datacenters = ["ingress"]
type = "service"
priority = 50
update {
stagger = "10s"
max_parallel = 1
}
group "helloworld" {
count = 1
network {
mode="cni/cilium"
port "http" {
to = 80
}
}
update {
max_parallel = 1
min_healthy_time = "30s"
healthy_deadline = "10m"
progress_deadline = "11m"
auto_revert = true
}
restart {
attempts = 10
interval = "5m"
delay = "25s"
mode = "delay"
}
task "helloworld" {
driver = "docker"
config {
security_opt = [
"no-new-privileges"
]
pids_limit = 20
image = "helloworld:1.0.0-RELEASE"
ports = ["http"]
force_pull = false
}
service {
name = "helloworld"
port = "http"
}
resources {
memory = 20
}
logs {
max_files = 1
max_file_size = 15
}
kill_timeout = "20s"
}
}
}
PS: I'm running Nomad v1.2.5 |
|
Ah sorry @monwolf, I was reading the Cilium docs and I think I misunderstood the file format. I think the file should look like this and be called {
"cniVersion": "0.3.1",
"name": "cilium",
"plugins": [
{
"type": "cilium-cni",
"enable-debug": false
}
]
}With this file fingreprint should be successful: Deploying Cilium itself may be a little more work. From the issue you linked it seems like Cilium would need a Kubernetes Operator to run as well? Though I really hope you are able to get it to work, Cilium is a cool project 🙂 |
|
@lgfa29 It worked your suggestion, Thanks :) The next step is solve a derivate problem: But I'm happy to see this error 👯 My other question was If I deploy a nomad task with cilium. Do you know if I can refresh the fingerprint of the nomad agent to enable this config for other tasks? Regarding if I need a Kubernetes operator, at this moment I don't know, I was basing my first steps on these docs: https://docs.cilium.io/en/v1.9/gettingstarted/docker/ I need to go one by one solving the problems that appear because all together is quite a broad topic |
I'm not sure if understand the question 🤔 You will need that config JSON file in every client. I think the Cilium Docker image downloads its plugin automatically, but you may also need to have the CNI plugins in
I hope you are able to get it working 🍀 |
|
I've been out of the office few days, but now I'm here again :D I copied the pattern from HELM provided by cilium in order to install the latest version of CNI when the container starts: This will add a config and he cni binary inside the host filesystem, so my question is if there are any way to force nomad reload the config once the script ended creating this files? |
@monwolf does it work? Thx. |
|
Hey @j4ckzh0u This task copy the config and the cni binary inside the host from the cilium container. But nomad still needs to be restarted in order to refresh the fingerprinting. Regards, |
|
@monwolf okey, Thx ! |
@monwolf I don't think you will be able to reload the Nomad config from a task. You can try sending a It's probably worth a quick try though. Run the job and manually signal the Nomad agent and see if it works. |
|
Hi, I have a working setup with cilium-agent & cilium-cni working on top of nomad, and I can deploy services/tasks on top of cni/cilium, however I still need to solve howto assign labels to endpoints during creation. As currently endpoints get stuck with reserved:init label, and no assigned identity. Not sure if cilium-operator nay help in this.. I'll update when I have some more progress. Regards |
|
Ok, my problem was quite easy: as there is no k8s to query for labels, cilium-agent set 'reserved:init' as unique/default label for newly created endpoints. Thus making all traffic for such endpoints denied by default. However if I manually add any desired labels to the endpoint, and then (manually again) remove reserved:init, everything starts working smooth. Now I just need to think of the best way to provision labels automatically, probably from a wrapper script around cilium-cni command. |
|
@pruiz Were you able to solve the problem? |
|
@Hanmask21 yes, there are two options:
In the mean time, a pseudo-wrapper script for cni would look like: I am deploying this script to /opt/cni/bin/cilium4nomad, and using this same name as plugin's "type" on /etc/cni/net.d/cilium.conflist file. Regards PD: In the future this logic maybe added to cilium-cni, or let the cilium-operator take care of requesting labels for containers by querying nomad server's directly.. but right now this just works. |
|
Awesome work! |
I'am also interested. |
|
@pruiz , I would seriously pay you money right now to know how you did this. I've been bashing my head against the wall for a week now. |
|
Hi, Regarding this I was awaiting for a conclusion at #13824, as in order to really being able to integrate cilium with nomad, including being able to mix and match cilium and consul connect, a mechanism to extend nomad's default bridge configuration was needed. But in the end it looks like there wont be such a mechanism, so sadly I see little sense to keep investing into this. Regards |
|
We are trying to get Cilium working with Nomad as well at my workplace and would greatly appreciate enabling features that make this possible. |
|
I find it disheartening that the page that this is based on: https://docs.cilium.io/en/v1.9/gettingstarted/docker/ ...no longer exists in the current docs, nor does the Docker example it references exist any longer. All of the Cilium docs I'm finding seem to indicate it requires Kubernetes. It does seem that Nomad Cilium support is aspirational rather than a reality. 😞 |
|
There was a relatively recent post on the Cilium blog about someone using Cilium with Nomad1. Unfortunately, it seems that they have not yet released their work2.
Footnotes |
|
@protochron Can you offer any insight that might help us along this path? A working nomad-cilium integration would be a game changer for the Nomad community. |
|
Here is a talk about cillium integration |
|
And a blog about it too |
|
Here's a more in-depth guide on how we run Cilium with Nomad: https://cosmonic.com/blog/engineering/netreap-a-practical-guide-to-running-cilium-in-nomad. We also just open sourced a tool that you can run as a system job in Nomad to sync Cilium policies, endpoint metadata and make sure that your IP allocations are cleaned up: https://github.com/cosmonic/netreap |
|
Thank you so much for sharing this! We all appreciate your work on this and the contribution to the community. |
|
Awesome. Thanks for contribution. |
Oh man! It's like Christmas early! Thanks! |
|
The container does not resolve addresses via DNS: The ciliim parameters are as follows: The policy config: |
|
@protochron @mjohnson9 can you help? |
I think you may have me confused with someone else. I’m afraid I don’t have the knowledge to help, as much as I’d like to. |
|
Hi @Hanmask21 👋 I would suggest you open an issue on the Netreap repo. Folks in this thread are unlikely to be able to help you. |
Hi,
I'm trying to integrate Cilium with Nomad and its cni interface but as per lack of documentation, it started to become a hardy process. Until now, I found two issues in order to get I running.
First of all, let me add a little bit of context of my setup. We are running nomad, consul on top of Oracle Linux 8 and we are using docker-ce with namespaces and other options such as ACLs as part of the hardening.
I would like to deploy cilium as a nomad task, I've been able to set up most of the required pieces to do this.
I'm using the pattern of post-start task (cilium-setup) to copy in the host the cni-plugin binary and its config.
The first problem I saw here it's I'm not able to use this plugin until I restart nomad. Is there any way to force the reload of this config from the API?
The second one is I'm not able to use the cni-configuration provided by cilium to make it work in nomad.
The cilium cni config file looks like:
{ "cniVersion": "0.3.1", "name": "cilium", "type": "cilium-cni", "enable-debug": false }But when i restart nomad I see in the log:
I tried to add the key plugins
{ "cniVersion": "0.3.1", "name": "cilium", "type": "cilium-cni", "enable-debug": false, "plugins": [] }But I still getting the error:
Could you help me to address this?
The text was updated successfully, but these errors were encountered: