Secure your volumes with PX Security
This section covers information on utilizing the Portworx CSI driver on Nomad.
Prerequisites
Be sure to enable PX security when installing Portworx.
Configure Authorization and Authentication
Perform the following steps to provision and mount volumes with security enabled:
-
Create a file named
volume.hcl
with the following content and replace<AUTH_TOKEN>
with a JWT token you generated:id = "volume-1"
name = "database"
type = "csi"
plugin_id = "portworx"
capacity_min = "1G"
capacity_max = "1G"
capability {
access_mode = "single-node-reader-only"
attachment_mode = "file-system"
}
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
secrets {
auth-token = <AUTH_TOKEN>
} -
Create a volume using the
volume.hcl
file you just created:nomad volume create volume.hcl
-
Create a nomad job configuration file named
job.hcl
with the following contents:job "mysql-server" {
datacenters = ["dc1"]
type = "service"
group "mysql-server" {
count = 1
volume "database" {
attachment_mode = "file-system"
access_mode = "single-node-writer"
type = "csi"
read_only = false
source = "volume-1"
}
network {
port "db" {
static = 3306
}
}
restart {
attempts = 10
interval = "5m"
delay = "25s"
mode = "delay"
}
task "mysql-server" {
driver = "docker"
volume_mount {
volume = "database"
destination = "/srv"
read_only = false
}
env {
MYSQL_ROOT_PASSWORD = "password"
}
config {
image = "hashicorp/mysql-portworx-demo:latest"
args = ["--datadir", "/srv/mysql"]
ports = ["db"]
}
resources {
cpu = 500
memory = 1024
}
service {
name = "mysql-server"
port = "db"
check {
type = "tcp"
interval = "10s"
timeout = "2s"
}
}
}
}
} -
Create a job using the
job.hcl
configuration you just created:nomad job run job.hcl
-
Check the status of your job:
nomad job status mysql-server
It should be running shortly after the image pull has finished:
-
After the installation completes, clean up the setup by stopping the job and and deleting the volume:
nomad job stop mysql-server
nomad volume delete volume-1
Snapshots with authorization and authentication enabled
Due to a few limitions with Nomad, Portworx authorization and authentication will not work with snapshotting. You can track the following issues for information on this support: