Phase 4 - Configure Nomad clients
CircleCI server uses Nomad clients to perform container-based build actions. These machines will need to exist within the air-gapped environment to communicate with the CircleCI server Helm deployment.
In the following sections, replace any sections indicated by < > with your details. |
1. Install Docker and Nomad
Install the following two prerequisites on each instance designated as a Nomad client:
2. Create nomad directories
On each machine, create a config directory. If your installation uses mTLS, also create a nested SSL directory:
sudo mkdir /etc/nomad/
sudo mkdir /etc/nomad/ssl/3. Create the Docker ci-privileged network
Create a Docker network named ci-privileged with the following command. Once complete, restart the Nomad service.
sudo docker network create --label keep --driver=bridge --opt com.docker.network.bridge.name=ci-privileged ci-privileged
sudo service nomad restart4. (Optional) Retrieve mTLS certificates
If Nomad mTLS is configured on your installation, you will need to provide three files to each Nomad client. If mTLS is not configured, you can skip this step.
-
ca.pem -
key.pem -
cert.pem
These files can be retrieved from a secret in the namespace of the CircleCI server Helm installation (nomad-rpc-mtls) using the following command:
kubectl get secret -n <namespace> nomad-rpc-mtls -o yaml > secret.yamlThis command will output the secret.yaml file to stdout. Each required file (ca.pem, key.pem, cert.pem) is stored as a base64 encoded string within the secret. Each string must be copied, decoded, and placed in a file in each of your Nomad clients.
# For each of ca.pem, key.pem, cert.pem in the secret output
echo -n "ca.pem-base64-encoded-string" | base64 --decode > ca.pem
echo -n "cert.pem-base64-encoded-string" | base64 --decode > cert.pem
echo -n "key.pem-base64-encoded-string" | base64 --decode > key.pem5. (Optional) Copy mTLS keys to each Nomad client
If using mTLS, the ca.pem, key.pem, and cert.pem keys must be copied to each client and placed in the locations listed below. If mTLS is not configured, you can skip this step.
/etc/nomad/ssl/ca.pem
/etc/nomad/ssl/cert.pem
/etc/nomad/ssl/key.pem6. Configure the Nomad conf.hcl file on each machine
For each Nomad client, configure the following conf.hcl file at /etc/nomad/conf.hcl. Remember to replace all items displayed between < >.
log_level = "DEBUG"
name = "<instance-hostname>"
data_dir = "/opt/nomad"
datacenter = "default"
advertise {
http = "<instance-internal-ip>"
rpc = "<instance-internal-ip>"
serf = "<instance-internal-ip>"
}
client {
enabled = true
server_join = {
retry_join = ["<kubernetes-cluster-internal-ip>:4647"]
}
node_class = "linux-64bit"
options = {"driver.raw_exec.enable" = "1"}
}
telemetry {
collection_interval = "1s"
disable_hostname = true
prometheus_metrics = true
publish_allocation_metrics = true
publish_node_metrics = true
}If mTLS is configured, the following block must also be added at the end of the conf.hcl file:
tls {
http = false
rpc = true
verify_server_hostname = true
ca_file = "/etc/nomad/ssl/ca.pem"
cert_file = "/etc/nomad/ssl/cert.pem"
key_file = "/etc/nomad/ssl/key.pem"
}7. Test connectivity
Test connectivity between your clients and cluster by starting the Nomad agent and observing logs.
sudo nomad agent -config /etc/nomad/conf.hclNext steps
Once the steps on this page are complete, go to the Phase 5 - Test your installation guide.