nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive | README
commit 3b527966410904823bfe35937686572649b001e7
parent 1db75b049c8ceea4a7fe4a2f22c42212cecba843
Author: Andreas Gruhler <agruhl@gmx.ch>
Date:   Sat, 28 Feb 2026 09:12:06 +0100

feat(jenkins): unconfined aa profile for agents

"For allowing several syscalls such as unshare":
* https://github.com/moby/buildkit/blob/master/docs/rootless.md#docker
* https://github.com/containers/buildah/issues/2871#issuecomment-757452721
* https://developer.hashicorp.com/nomad/plugins/drivers/podman#security_opt

Alternative to disable AppArmor entirely on the amd machines:
* https://wiki.debian.org/AppArmor/HowToUse#Disable_AppArmor

Diffstat:

Mhcl/default/jenkins/templates/jenkins.yaml.tmpl | 10++++++++++


1 file changed, 10 insertions(+), 0 deletions(-)

diff --git a/hcl/default/jenkins/templates/jenkins.yaml.tmpl b/hcl/default/jenkins/templates/jenkins.yaml.tmpl
@@ -117,6 +117,11 @@ jenkins:
                       "Driver": "podman",
                       "User": "jenkins",
                       "Config": {
+                        "security_opt": [
+                          "seccomp=unconfined",
+                          "apparmor=unconfined",
+                          "systempaths=unconfined"
+                        ],
                         "volumes": [
                           "/run/user/1312/podman/podman.sock:/home/jenkins/agent/podman.sock",
                           "/etc/containers/registries.conf:/etc/containers/registries.conf",
@@ -181,6 +186,11 @@ jenkins:
                       "Driver": "podman",
                       "User": "jenkins",
                       "Config": {
+                        "security_opt": [
+                          "seccomp=unconfined",
+                          "apparmor=unconfined",
+                          "systempaths=unconfined"
+                        ],
                         "volumes": [
                           "/run/user/1312/podman/podman.sock:/home/jenkins/agent/podman.sock",
                           "/etc/containers/registries.conf:/etc/containers/registries.conf",