Nomad Nodes
Last modified on May 9, 2024
Overview
This guide describes how to create and run a StrongDM node (gateway or relay) on HashiCorp Nomad.
To learn more about gateways and relays in general, see Nodes.
Prerequisites
- Be an Administrator in StrongDM.
- Ensure that you have a running Nomad instance and are familiar with the Nomad CLI or Nomad Web UI.
Steps
Add a node in the Admin UI
To add a gateway, follow these steps.
- Log in to the StrongDM Admin UI at app.strongdm.com.
- Go to Networking > Gateways and click Add gateway.
- For Name, enter a unique name for the gateway. This is the name that is displayed throughout StrongDM.
- For Advertised Host, use the IP address or hostname of your Nomad server.
- For Advertised Port, edit the port number if you want it to differ from the default 5000.
- Click Advanced to set optional properties.
- For Bind IP, optionally set the IP address for the gateway to listen on. You can use
0.0.0.0for all interfaces. - For Bind Port, optionally set the port for the gateway to listen on (default: 5000).
- Click Create gateway to save.
- Copy the token that is generated. This token is used in later steps.
To add a relay, follow these steps.
- Log in to the Admin UI at app.strongdm.com.
- Go to Networking > Relays.
- Click Add relay.
- For Name, enter a name for the relay.
- Click Create relay.
- Copy the token and keep it in a secure place.
Create a node on Nomad
You can choose one of two ways to create a StrongDM node on Nomad. You can use either the Nomad CLI or Nomad Web UI.
Use the Nomad CLI
Use SSH to log in to your Nomad server.
Use a text editor to create a new file called
sdm-gateway-nomad.Copy the following example code and paste it into your file:
job "sdm" { #Your datacenters should be updated to reflect your environment. datacenters = ["$datacenters"] group "gateways" { count = 1 task "server" { driver = "docker" config { image = "public.ecr.aws/strongdm/relay" } # Replace $SDM_RELAY_TOKEN with the token generated in the Admin UI. env { SDM_RELAY_TOKEN = "$SDM_RELAY_TOKEN" } resources { network { mbits = 10 # This port can be configured in the Admin UI. By default it is port 5000. port "relay" { static = 5000 } } } } } }In your file, replace the
$datacentersand$SDM_RELAY_TOKENplaceholders with the actual values. If you added a gateway in the Admin UI and changed the port to a port other than the default, change the port here too.Save and close the file.
Create a new job:
nomad job init sdm-gatewayDo a dry run to make sure there are no issues:
nomad job plan sdm-gateway
- Start the job:
nomad job run sdm-gateway
Use the Nomad Web UI
Log in to the Nomad Web UI.
Go to the Jobs tab.
Click Run Job.
Copy the following example code:
job "sdm" { #Your datacenters should be updated to reflect your environment. datacenters = ["$datacenters"] group "gateways" { count = 1 task "server" { driver = "docker" config { image = "public.ecr.aws/strongdm/relay" } # Replace $SDM_RELAY_TOKEN with the token generated in the Admin UI. env { SDM_RELAY_TOKEN = "$SDM_RELAY_TOKEN" } resources { network { mbits = 10 # This port can be configured in the Admin UI. By default it is port 5000. port "relay" { static = 5000 } } } } } }In the Job Definition section, paste that example code.
Replace the
$datacentersand$SDM_RELAY_TOKENplaceholders with the actual values. If you added a gateway in the Admin UI and changed the port to a port other than the default, change the port here too.Click Plan.
Ensure no errors occurred.
Click run.
Verify that your node is online
In the Admin UI, go to Networking > Gateways or Networking > Relays to verify that the node you created is online.
If it does not appear online, perform a hard refresh of your web browser. Within a couple of minutes, if it is still not online, verify that the StrongDM daemon is running by running ps aux|grep sdm on the server and looking for sdm relay in the output.