Exact behaviour of "noop" change_mode

Hi,

I have a PHP application running in a container with a configuration file that is rendered by nomad using the template functionality.

As per the nature of PHP, in case of a template re-render, it’s not required to reload / restart PHP. Since the changes automatically apply the next time PHP receives a web request.
Therefore, I’ve set the change_mode to “noop”. What I see now is that nomad does not re-render the template at all.

So the question is, does “noop” as change_mode in the template stanza mean

  • Don’t re-render a template at all
    OR
  • Don’t do any action like restart or signal after the template has been re-rendered

In case nomad does not re-render at all, Is there any way to tell nomad to re-render the template but don’t do anything afterwards?

Thanks

Just saw this in the docs:
“Specifies the behavior Nomad should take if the rendered template changes. Nomad will always write the new contents of the template to the specified destination. The possible values below describe Nomad’s action after writing the template to disk.”

So, nomad should always re-render the template. The question is why it does not work in my case.

Hi @Roman,

The template change_mode documentation describes the expected behaviour which is the second bullet point option you wrote.

If you’re not seeing the template re-render when there is a change, I would suggest raising a bug against the Nomad repo with as many details and a reproduction if as possible.

Thanks,
jrasell and the Nomad team

Hi @jrasell ,

thanks for your clarification.
The actual issue I’ve seen in our prod environment was that I changed a secret in Vault and template files that use these secrets were not updated for several hours until I forced a manual restart.

I made some tests in a dev environment:
What I’ve seen was that with change_mode=“restart” a secret change resulted in a template re-render within 1 minute.
With change_mode=“noop” it took like 5 minutes. (Sometimes longer, I tested multiple times.)

The same tests with something populated from Consul K/V always resulted in ~immediate template re-rendering.

After some googling, I found a GH issue saying that changes in Vault don’t result in immediate changes in nomad since there’s no notification mechanism.
Another issue says a bit different.

Can you maybe clarify how exactly nomad “watches” for secret changes and how it would be possible to tweak that?
(Nevertheless, it’s still unclear why there was no re-render for hours in the prod system… :smiley: )

Vault and Consul have different models for monitoring their values. Consul (mostly) uses long polling/blocking queries to monitor for changes, which is why they catch the changes immediately. Vault on the other hand is monitored uses polling based on TTL or similar timing values from Vault. That is the values pulled from Vault all have some time period that they are known to be good for and that time period is used to determine when to refresh them. EG. for certificates it is 80-90% of their TTL. For other types of secrets Vault has various ways to control the time those credentials are good for… TLDR; You need to control Vault’s data refresh based on the valid time period of the credentials, not based on them changing.

Hope this helps!

2 Likes