Setting up Vault on Firecracker with CNI network on HashiCorp Nomad
1044 5 mins
It’s good to know how to set up Firecracker VM by hand but that’s definitely suboptimal long term. So today I am looking at setting up Firecracker with CNI plugins. Firecracker needs four CNI plugins to operate: ptp, firewall, host-local and tc-redirect-tap. First three come from the CNI plugins[1] repository, the last one comes from AWS Labs tc-redirect-tap[2] repository.
CNI plugins are sought from the /opt/cni/bin directory. Some tools allow overriding that path but there is no consistency so the default directory is the safest choice. However, to keep everything tidy, I will place by plugins in the /firecracker/cni/bin directory, per the structure from Taking Firecracker for a spin[3]:
$ sudo nomad job plan /etc/nomad/jobs/vault.nomad
+ Job: "vault-with-cni"+ Task Group: "vault-test"(1 create) + Task: "vault1"(forces create)Scheduler dry-run:
- All tasks successfully allocated.
Job Modify Index: 0To submit the job with version verification run:
nomad job run -check-index 0 /etc/nomad/jobs/vault.nomad
When running the job with the check-index flag, the job will only be run if the
job modify index given matches the server-side version. If the index has
changed, another user has modified the job and the plan's results are
potentially invalid.
Okay, looks good, let’s run it:
1
2
3
4
5
6
7
8
$ sudo nomad job run /etc/nomad/jobs/vault.nomad
==> Monitoring evaluation "2e42b090" Evaluation triggered by job "vault-with-cni"==> Monitoring evaluation "2e42b090" Evaluation within deployment: "d12624cb" Allocation "a57d68ec" created: node "10f89343", group "vault-test" Evaluation status changed: "pending" -> "complete"==> Evaluation "2e42b090" finished with status "complete"
$ sudo nomad status vault
ID= vault-with-cni
Name= vault-with-cni
Submit Date= 2021-02-07T13:49:20Z
Type= service
Priority=50Datacenters= dc1
Namespace= default
Status= running
Periodic=falseParameterized=falseSummary
Task Group Queued Starting Running Failed Complete Lost
vault-test 001000Latest Deployment
ID= d12624cb
Status= running
Description= Deployment is running
Deployed
Task Group Desired Placed Healthy Unhealthy Progress Deadline
vault-test 1100 2021-02-07T13:59:20Z
Allocations
ID Node ID Task Group Version Desired Status Created Modified
a57d68ec 10f89343 vault-test 0 run running 7s ago 6s ago
Sweet. Let’s have a look at the veth device:
1
2
3
$ ip -c link show type veth
7: veth200fa5e4@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 42:ee:02:f4:98:3a brd ff:ff:ff:ff:ff:ff link-netnsid 0
Stopping the job does not remove the veth interface so a manual cleanup of the unused interfaces is needed.
Subsequent runs give the task the next IP address. If 192.168.127.2 does not work for you, try .1.3, .4 and so on… Something to look into in detail a little bit later.