Hi, I am trying to deploy a telegraf instance using the docker driver under nomad.
However, nomad seems to be requiring the node to have allow_privileged = true since i get a setpriv: failed to execute telegraf: Operation not permitted error when it is not configured despite that influx team have announced that their new telegraf image would no longer require this configuration as it goes against security standards and best practices as stated here. On my local machine it is possible to run the telegraf image with the following command: docker run -v $PWD/telegraf.conf:/etc/telegraf/telegraf.conf:ro -p 9086:9086 telegraf. Without any privileged mode (–privileged) needed and it works as expected. Why do I still have to configure the docker driver on the nomad client to allow for privileged docker deployment then? Am I missing something?
setpriv: failed to execute telegraf: seems to be coming from Telegraf and not Nomad which indicates Telegraf requires additional capabilities to what it is currently being given.
Users need to ensure the
telegraf user or
telegraf group, which runs the Telegraf service, has access to any additional required services, sockets, files, etc., required for operation
The article states that while Telegraf no longer needs to be run as root, however, as quoted above points out some additional configuration overhead might be required to make it work. It is likely the Nomad client task execution and the direct Docker command are not 100% comparable.
Could you provide a minimal job specification example of this and any relevant Nomad client configuration, that may be able to help work through this problem? I also came across this GitHub issue which has some potentially relevant information and options.
jrasell and the Nomad team