Nomad Nodes

Overview

This guide describes how to create and run a StrongDM node (gateway or relay) on HashiCorp Nomad.

To learn more about gateways and relays in general, see Nodes.

Prerequisites

Be an Administrator in StrongDM.
Ensure that you have a running Nomad instance and are familiar with the Nomad CLI or Nomad Web UI.

Steps

Add a node in the Admin UI

You can add either a gateway (allows ingress) or relay (egress connections only) using Nomad.

Add a gateway

To add a gateway, follow these steps.

Log in to the StrongDM Admin UI at app.strongdm.com.
Go to Networking > Gateways and click Add gateway.
For Name, enter a unique name for the gateway. This is the name that is displayed throughout StrongDM.
For Advertised Host, use the IP address or hostname of your Nomad server.
For Advertised Port, edit the port number if you want it to differ from the default 5000.
Click Advanced to set optional properties.
For Bind IP, optionally set the IP address for the gateway to listen on. You can use 0.0.0.0 for all interfaces.
For Bind Port, optionally set the port for the gateway to listen on (default: 5000).
Click Create gateway to save.
Copy the token that is generated. This token is used in later steps.

Add a relay

To add a relay, follow these steps.

Log in to the StrongDM Admin UI.
Go to Networking > Relays.
Click Add relay.
For Name, enter a name for the relay.
Click Create relay.
Copy the token and keep it in a secure place.

Create the node on Nomad

You can choose one of two ways to create a StrongDM node on Nomad. You can use either the Nomad CLI or Nomad Web UI.

Use the Nomad CLI

Use SSH to log in to your Nomad server.
Use a text editor to create a new file called sdm-gateway.nomad.hcl.
Copy the following example code and paste it into your file:

variable "datacenters" {
  type = list(string)
  default = ["dc1"]
}

variable "sdm_relay_token" {
  type    = string
}

job "sdm" {
  datacenters = var.datacenters
  
  # Add namespace if using one
  # namespace = "default"
  
  # Add type specification
  type = "service"
  
  group "gateways" {
    count = 1
    
    network {
      port "gateway" {
        static = 5000
        to     = 5000
      }
    }
    
    # Add service registration
    service {
      name = "sdm-gateway"
      port = "gateway"
      provider = "nomad"
      tags = ["sdm"]
      check {
        type     = "tcp"
        port     = "gateway"
        interval = "30s"
        timeout  = "2s"
      }
    }
    
    task "server" {
      driver = "docker"
      
      config {
        image = "public.ecr.aws/strongdm/relay"
      }
      
      resources {
        cpu    = 2000 # MHz
        memory = 4096 # MB
      }
      
      # Add template for secrets management (optional)
      template {
        data = <<EOT
SDM_RELAY_TOKEN="${var.sdm_relay_token}"
EOT
        destination = "${NOMAD_SECRETS_DIR}/env.txt"
        env         = true
      }
      
      # Add restart policy
      restart {
        attempts = 3
        delay    = "30s"
        interval = "5m"
        mode     = "delay"
      }
    }
    
    # Add update strategy
    update {
      max_parallel = 1
      health_check = "checks"
      min_healthy_time = "10s"
      healthy_deadline = "5m"
      auto_revert = true
    }
  }
}

In your file, replace the $datacenters and $SDM_RELAY_TOKEN placeholders with the actual values. If you added a gateway in the Admin UI and changed the port to a port other than the default, change the port here too.
Save and close the file.
Create a new job:
```
nomad job init sdm-gateway
```
Do a dry run to make sure there are no issues:

nomad job plan sdm-gateway

Start the job:

nomad job run sdm-gateway

Use the Nomad Web UI

Log in to the Nomad Web UI.
Go to the Jobs tab.
Click Run Job.
Copy the following example code:

variable "datacenters" {
  type = list(string)
  default = ["dc1"]
}

variable "sdm_relay_token" {
  type    = string
}

job "sdm" {
  datacenters = var.datacenters
  
  # Add namespace if using one
  # namespace = "default"
  
  # Add type specification
  type = "service"
  
  group "gateways" {
    count = 1
    
    network {
      port "gateway" {
        static = 5000
        to     = 5000
      }
    }
    
    # Add service registration
    service {
      name = "sdm-gateway"
      port = "gateway"
      provider = "nomad"
      tags = ["sdm"]
      check {
        type     = "tcp"
        port     = "gateway"
        interval = "30s"
        timeout  = "2s"
      }
    }
    
    task "server" {
      driver = "docker"
      
      config {
        image = "public.ecr.aws/strongdm/relay"
      }
      
      resources {
        cpu    = 2000 # MHz
        memory = 4096 # MB
      }
      
      # Add template for secrets management (optional)
      template {
        data = <<EOT
SDM_RELAY_TOKEN="${var.sdm_relay_token}"
EOT
        destination = "${NOMAD_SECRETS_DIR}/env.txt"
        env         = true
      }
      
      # Add restart policy
      restart {
        attempts = 3
        delay    = "30s"
        interval = "5m"
        mode     = "delay"
      }
    }
    
    # Add update strategy
    update {
      max_parallel = 1
      health_check = "checks"
      min_healthy_time = "10s"
      healthy_deadline = "5m"
      auto_revert = true
    }
  }
}

In the Job Definition section, paste that example code.
Replace the $datacenters and $SDM_RELAY_TOKEN placeholders with the actual values. If you added a gateway in the Admin UI and changed the port to a port other than the default, change the port here too.
Click Plan.
Ensure no errors occurred.
Click run.

Verify that your node is online

In the Admin UI, go to Networking > Gateways or Networking > Relays to verify that the node you created is online.

If it does not appear online, perform a hard refresh of your web browser. Within a couple of minutes, if it is still not online, verify that the StrongDM daemon is running by running ps aux|grep sdm on the server and looking for sdm relay in the output.

Last updated 1 month ago

Was this helpful?