I am struggling to do something that is conceptually simple: allow the backend of an app deployed with job “backend” to communicate with a database deployed with job “postgres”.
I would rather not have to deploy Consul etc. Isn’t there a “simple” way to do that only with Nomad?
I have read A LOT of documentation and it seems that I should use the CNI plugin, but I’m still missing some piece of the puzzle…
Here are my two job files (simplified for readability):
Not sure I can get you all the way there, but let me give this a stab.
You should be able to use Nomad service discovery, but I think the trick is to put the two groups in the same job. That way, Nomad will be able to allocate ports to each of the tasks, and you will have access to NOMAD_ADDR_http_frontend and NOMAD_ADDR_backend. You will be able to lookup the service since it’s registered in the same job.
If you really want to keep them separate, and you’re using a newer version of Nomad, you could also use a Consul template to look up the Nomad Service. See
job "backend" {
group "backend" {
network {
mode = "bridge"
port "http" {
to = "3000"
host_network = "private"
}
}
task "backend" {
driver = "docker"
env = {
"DATABASE_URL" = "postgresql://user:pass@{{ with nomadService 'postgres-server' }}{{ with index . 0 }}{{.Address}}:{{.Port}}{{ end }}{{ end }}/mydb"
}
config {
image = "backend:latest"
ports = ["http"]
}
service {
name = "backend"
port = "http"
provider = "nomad"
check {
type = "tcp"
interval = "10s"
timeout = "2s"
}
}
}
}
}
This should make the trick. I haven’t tested myself, let me know if it works. If it doesn’t work you have to use template stanza in similar way with env=true attribute.
Note that this solution is basic as it will only provide the first item in the list of the service Postgres-server. If you have more than one server, then this will be returning the first IP, not the second one. For more advanced features, check Consul.
It seems your docker container is being exposed in 127.0.0.1.
Could you check this by running the command docker ps ?
If you are in testing mode, I would remove mode = "bridge" and host_network = "private" and check again with docker ps command.
I guess (it’s just a guess) you have just one interface (public one), and when you force it to being expose in private one it uses the loopback interface (just a guess)
I guess (it’s just a guess) you have just one interface (public one), and when you force it to being expose in private one it uses the loopback interface (just a guess)
You’re absolutely right
Interestingly (maybe), executing docker ps when in bridge mode shows empty ports bindings on the containers created (also true for the automatically created “nomad_init_…” containers) while of course if I remove the bridge mode, I see “normal” bindings (i.e. 127.0.0.1:5432->5432/tcp with the private host_network or #.#.#.#:5432->5432/tcp otherwise)
I don’t have too much experience with nomad, tho. We solved this issue easily because we are using Digital Ocean cloud provider, and all the droplets have two interfaces: public and private. So we are exposing the services just in the private interface.
This can be done globally in the client stanza in the agent settings. So you don’t have to declare it in the job.
client {
network_interface = "eth1"
}
This will force to expose the jobs in the ‘eth1’ interface. If you just have one, I’m afraid it cannot be done, you have to expose your container somewhere to have access to them.
We have an nginx as a reverse proxy to do this. You could use Traefik or Nginx as a job as an k8s ingress controller.
