Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

task.docker

Minimal configlet:

[task#1]
type = docker
image = ghcr.io/opensvc/pause

Minimal setup command:

om test/vol/foo set \
	--kw="type=docker" \
	--kw="image=ghcr.io/opensvc/pause"

blocking_post_provision

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors interrupt the action.

This trigger is only executed on leaders.

blocking_post_run

required:    false
scopable:    true

A command or script to execute after the resource run action.

Errors interrupt the action.

blocking_post_stop

required:    false
scopable:    true

A command or script to execute after the resource stop action.

Errors interrupt the action.

blocking_post_unprovision

required:    false
scopable:    true

A command or script to execute after the resource unprovision action.

Errors interrupt the action.

This trigger is only executed on leaders.

blocking_pre_provision

required:    false
scopable:    true

A command or script to execute before the resource provision action.

Errors interrupt the action.

blocking_pre_run

required:    false
scopable:    true

A command or script to execute before the resource run action.

Errors interrupt the action.

blocking_pre_stop

required:    false
scopable:    true

A command or script to execute before the resource stop action.

Errors interrupt the action.

blocking_pre_unprovision

required:    false
scopable:    true

A command or script to execute before the resource unprovision action.

Errors interrupt the action.

check

required:    false
scopable:    true
candidates:  last_run, last_run_warn,

Example:

check=last_run

If set to last_run, the last run retcode is used to report a task resource status.

If set to last_run_warn, the last run error retcode is displayed as a resource warning.

If not set (default), the status of a task is always n/a.

command

required:    false
scopable:    true
convert:     shlex

Example:

command=/opt/tomcat/bin/catalina.sh

The command to execute in the docker container on run.

comment

required:    false
scopable:    false

Comments help the users understand the role of the object and its resources.

configs_environment

required:    false
scopable:    true
convert:     shlex

Example:

configs_environment=PORT=http/port webapp/app1* {name}/* {name}-debug/settings

A whitespace-separated list of <var>=<cfg name>/<key path> or <cfg name>/<key matcher>.

If the cfg or config key doesn’t exist then start and stop actions on the resource will fail with a non 0 exit code.

A shell expression splitter is applied, so double quotes can be around <cfg name>/<key path> only or whole <var>=<cfg name>/<key path>.

Example with,

  • <ns>/cfg/nginx a config having a user key with value user1.

  • <ns>/cfg/cfg1 a config having a key1 key with value val1.

configs_environment = NGINX_USER=nginx/user cfg1/* creates the following variables in the container command execution environment:

NGINX_USER=user1
key1=val1

confirmation

required:    false
scopable:    false
convert:     bool

If set to true, ask for an interactive confirmation to run the task.

This flag can be used for dangerous tasks like data restoration.

cwd

required:    false
scopable:    true

Example:

cwd=/opt/foo

The current working directory set for the executed command.

devices

required:    false
scopable:    true
convert:     shlex

Example:

devices=myvol1:/dev/xvda myvol2:/dev/xvdb

The whitespace-separated list of <host devpath>:<containerized devpath> exposing host devices as container devices.

disable

required:    false
scopable:    true
convert:     bool

A disabled resource will be ignored on start, stop, provision and unprovision actions.

A disabled resource status is n/a.

If set in the DEFAULT section of an object, the object is disabled and ignores start, stop, shutdown, provision and unprovision actions.

These actions immediately return success.

om <path> disable sets DEFAULT.disable=true.

om <path> enable sets DEFAULT.disable=false.

Note: The enable and disable actions preserve the individual resource disable state.

required:    false
scopable:    true
convert:     list

Example:

dns_search=opensvc.com

The whitespace-separated list of DNS domains to search for shortname lookups.

If empty or not set, the list will be <name>.<namespace>.svc.<clustername> <namespace>.svc.<clustername> svc.<clustername>.

encap

required:    false
scopable:    false
convert:     bool

Set to true to ignore this resource in the nodes context and consider it in the encapnodes context. The resource is thus handled by agents deployed in the service containers.

entrypoint

required:    false
scopable:    true
convert:     shlex

Example:

entrypoint=/bin/sh

The script or binary executed in the container.

The entrypoint args must be set in command.

environment

required:    false
scopable:    true
convert:     shlex

Example:

environment=KEY=cert1/server.key PASSWORD=db/password

A whitespace-separated list of <var>=<value>.

A shell expression spliter is applied, so double quotes can be around <value> only or whole <var>=<value>.

guest_os

required:    false
scopable:    true
candidates:  unix, windows
default:     unix

Example:

guest_os=unix

The name of the operating system in the virtual machine.

hostname

required:    false
scopable:    true

Example:

hostname=nginx1

Set the container hostname. If not set, a unique id is used.

image

required:    true
scopable:    true

Example:

image=ghcr.io/opensvc/pause

The docker image pull, and run the container with.

image_pull_policy

required:    false
scopable:    true
candidates:  once, always

Example:

image_pull_policy=once

The docker image pull policy.

  • always

    Pull upon each container start.

  • once

    Pull if not already pulled (default).

init

required:    false
scopable:    true
default:     true
convert:     bool

Run an init inside the container that forwards signals and reaps processes.

interactive

required:    false
scopable:    true
convert:     bool

Keep stdin open even if not attached.

To use if the container entrypoint is a shell.

ipcns

required:    false
scopable:    true

Example:

ipcns=container#0

  • empty

    The docker daemon’s default value is used.

  • none

Do not mount /dev/shm.

  • private

    Create a ipcns other containers can not share.

  • shareable

    Create a ipcns other containers can share.

  • container#<i>

    Share the container#<i> ipcns.

log

required:    false
scopable:    true
default:     true
convert:     bool

Log the task outputs in the service log.

max_parallel

required:    false
scopable:    true
default:     1
convert:     int

Example:

max_parallel=2

Support limited, concurrent runs of tasks.

The task#xx.max_parallel=2 setting limits the number of concurrent task runs to 2.

The default value is 1, ensuring backward compatibility.

The run count is determined based on PID files created in the /run/ directories.

The PID file is normally removed when the task execution ends, but if the executor dies abruptly (e.g., due to a SIGKILL), the stale PID file is not considered when computing the resource status. It is removed before the count check of the next run.

Staleness is evaluated using the condition: (PID file mtime < process birth time).

A new status log message may appear to indicate that the maximum concurrency limit has been reached.

monitor

required:    false
scopable:    true
convert:     bool

A resource with monitor=true will trigger the monitor_action (crash or reboot the node, freezestop or switch the service) if:

  • The resource is down.

  • The instance has local_expect=started in its daemon monitor data, which means the daemon considers this instance is and should remain started.

  • All restart tentatives failed.

name

required:    false
scopable:    true
default:     Autogenerated using a `<namespace>..<object name>.container.<resource index>`

template.

Example:

name=osvcprd..rundeck.container.db

The name to assign to the container on docker run.

If not set, a <namespace>..<name>.container.<rid idx> name is automatically assigned.

netns

required:    false
scopable:    true

Example:

netns=container#0

  • empty or none

    The container has a private netns other container, ip.netns or ip.cni resources can share.

  • <rid>

    The id of the resource that has the network namespace this container joins.

    For example, a container with netns=container#0 will share the container#0 netns.

  • host

    Share the host network namespace.

on_error

required:    false
scopable:    true

Example:

on_error=/srv/{name}/data/scripts/task_on_error.sh

A command to execute on run action if command returned an error.

optional

required:    false
scopable:    true
convert:     bool

Action errors on optional resources are logged but do not interrupt the action sequence.

The status of optional resources is not included in the instance availability status but is considered in the overall status.

The status of task and sync resources is always included in the overall status, regardless of whether they are marked as optional.

Resources tagged as noaction are considered optional by default.

Dump filesystems are a typical use case for optional=true.

osvc_root_path

required:    false
scopable:    true

Example:

osvc_root_path=/opt/opensvc

If the OpenSVC agent is installed via package in the container, this keyword must not be set.

Else the value can be set to the fullpath hosting the agent installed from sources.

pidns

required:    false
scopable:    true

Example:

pidns=container#0

  • empty

    The container has a private pidns other containers can share. Usually a pidns sharer will run a pause image to reap zombies.

  • container#<i>

    Share container#<i> pidns.

  • host

    Share the host’s pidns.

post_provision

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

post_run

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

post_stop

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

post_unprovision

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

pre_provision

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

pre_run

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

pre_stop

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

pre_unprovision

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

privileged

required:    false
scopable:    true
convert:     bool

Give extended privileges to the container.

provision

required:    false
scopable:    false
default:     true
convert:     bool

Set to false to ignore the provision and unprovision actions on the resource.

Warning: provision and unprovision use data-destructive operations like formatting.

It is recommended to set provision=false on long-lived critical objects, to force administrators to remove this setting when they really want to destroy data.

provision_requires

required:    false
scopable:    false

Example:

provision_requires=ip#0 fs#0(down,stdby down)

A whitespace-separated list of conditions to meet to accept a ‘provision’ action.

A condition is expressed as <rid>(<state>,...).

If states are omitted, up,stdby up is used as the default expected states.

pull_timeout

required:    false
scopable:    true
default:     2m
convert:     duration

Example:

pull_timeout=2m

Wait for <duration> before declaring the container action a failure.

registry_creds

required:    false
scopable:    true

Example:

registry_creds=creds-registry-opensvc-com

The name of a secret in the same namespace having a config.json key which value is used to login to the container image registry.

If not specified, the node-level registry credential store is used.

retcodes

required:    false
scopable:    true
default:     0:up 1:down

Example:

retcodes=0:up 1:down 3:warn 4: n/a 5:undef

The whitespace-separated list of <retcode>:<status name>.

All undefined retcodes are mapped to the warn status.

Valid <status names> are:

  • up
  • down
  • warn
  • n/a
  • undef

run_args

required:    false
scopable:    true
convert:     shlex

Example:

run_args=-v /opt/docker.opensvc.com/vol1:/vol1:rw -p 37.59.71.25:8080:8080

Extra arguments to pass to the docker run command, like volume and port mappings.

run_requires

required:    false
scopable:    false

Example:

run_requires=ip#0 fs#0(down,stdby down)

A whitespace-separated list of conditions to meet to accept a ‘run’ action.

A condition is expressed as <rid>(<state>,...).

If states are omitted, up,stdby up is used as the default expected states.

run_timeout

required:    false
scopable:    true
convert:     duration

Example:

run_timeout=1m30s

Wait for <duration> before declaring the action a failure.

Takes precedence over timeout.

schedule

required:    false
scopable:    true

Example:

schedule=00:00-01:00 mon

Set the task run schedule.

See usr/share/doc/opensvc/schedule for the schedule syntax reference.

secrets_environment

required:    false
scopable:    true
convert:     shlex

Example:

secrets_environment=CRT=cert1/server.pem sec1/*

A whitespace-separated list of <var>=<sec name>/<key path> or <sec name>/<key matcher>.

If the sec or secret key doesn’t exist then start and stop actions on the resource will fail with a non 0 exit code.

A shell expression splitter is applied, so double quotes can be around <sec name>/<key path> only or whole <var>=<sec name>/<key path>.

Example with,

  • <ns>/sec/cert1 a secret having a server.pem key with value mycrt.

  • <ns>/sec/sec1 a secret having a key1 key with value val1.

secrets_environment = CRT=cert1/server.pem sec1/* creates the following variables in the container command execution environment:

CRT=mycrt
key1=val1

shared

required:    false
scopable:    true
convert:     bool

If true, the resource will be considered shared during provision and unprovision actions.

A shared resource driver can implement a different behaviour depending on weither it is run from the leader instance, or not:

  • When --leader is set, the driver creates and configures the system objects. For example the disk.disk driver allocates a SAN disk and discover its block devices.

  • When --leader is not set, the driver does not redo the actions already done by the leader, but may do some. For example, the disk.disk driver skips the SAN disk allocation, but discovers the block devices.

The daemon takes care of setting the --leader flags on the commands it submits during deploy, purge, provision and unprovision orchestrations.

Warning: If admins want to submit --local provision or unprovision commands themselves, they have to set the --leader flag correctly.

Flex objects usually don’t use shared resources. But if they do, only the flex primary gets --leader commands.

Warning: All resources depending on a shared resource must also be flagged as shared.

snooze

required:    false
scopable:    true
convert:     duration

Example:

snooze=10m

Snooze the service before running the task, so if the command is cause a status degradation the user can decide to snooze alarms for the duration set as value.

standby

required:    false
scopable:    true
convert:     bool

If true, always start the resource, even on non-started instances.

The daemon is responsible for starting standby resources.

A resource can be set standby on a subset of nodes using keyword scoping.

A typical use-case is a synchronized filesystem on non-shared disks. The remote filesystem must be mounted to not overflow the underlying filesystem.

Warning: In most situation, don’t set shared resources standby, a non-clustered fs on shared disks for example.

stop_requires

required:    false
scopable:    false

Example:

stop_requires=ip#0 fs#0(down,stdby down)

A whitespace-separated list of conditions to meet to accept a ‘stop’ action.

A condition is expressed as <rid>(<state>,...).

If states are omitted, up,stdby up is used as the default expected states.

subset

required:    false
scopable:    true

A command or script to execute after the resource provision action.

Errors do not interrupt the action.

This trigger is only executed on leaders.

tags

required:    false
scopable:    true
convert:     set

A whitespace-separated list of tags.

Tags can be used for resource selection by tag.

Some tags can influence the driver behaviour:

  • noaction

    Skip any state changing action on the resource and imply optional=true.

  • nostatus

    Force the status n/a.

timeout

required:    false
scopable:    true
convert:     duration

Example:

timeout=5m

Wait for <duration> before declaring the task run action a failure.

If no timeout is set, the agent waits indefinitely for the task command to exit.

tty

required:    false
scopable:    true
convert:     bool

Allocate a pseudo-tty.

unprovision

required:    false
scopable:    false
default:     true
convert:     bool

Set to false to ignore the unprovision action on the resource.

Warning: unprovision use data-destructive operations like formatting.

It is recommended to set provision=false on long-lived critical objects, to force administrators to remove this setting when they really want to destroy data.

unprovision_requires

required:    false
scopable:    false

Example:

unprovision_requires=ip#0 fs#0(down,stdby down)

A whitespace-separated list of conditions to meet to accept a ‘unprovision’ action.

A condition is expressed as <rid>(<state>,...).

If states are omitted, up,stdby up is used as the default expected states.

user

required:    false
scopable:    true

Example:

user=guest

The user that will run the command inside the container.

Also support the <user>:<group> syntax.

userns

required:    false
scopable:    true

Example:

userns=container#0

If not set, the container will have a private userns other containers can share.

A container with userns=host will share the host’s userns.

utsns

required:    false
scopable:    true
candidates:  , host

Example:

utsns=container#0

  • empty

    The container has a private utsns.

  • host

    The container shares the host’s hostname.

volume_mounts

required:    false
scopable:    true
convert:     shlex

Example:

volume_mounts=myvol1:/vol1 myvol2:/vol2:rw /localdir:/data:ro

The whitespace-separated list of <volume name|local dir>:<containerized mount path>:<mount options>.

When the source is a local dir, the default <mount option> is rw.

When the source is a volume name, the default <mount option> is taken from volume access.