[nomad-step-3] S3-fix-5 — nomad/client.hcl must allow_privileged for woodpecker-agent #961

New issue

Closed

opened 2026-04-17 12:47:23 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-17 12:47:23 +00:00

Collaborator

Step 4 verification: woodpecker-agent fails with "Docker privileged mode is disabled on this Nomad agent".

Root cause

nomad/client.hcl Docker plugin has allow_privileged = false. The woodpecker-agent jobspec (S3.2, #935) requires privileged = true to access docker.sock and spawn CI pipeline containers — matches the current docker-compose setup which also uses privileged: true.

Fix

nomad/client.hcl line with allow_privileged = false → allow_privileged = true.

One line. After changing the repo file, cluster-up.sh already copies client.hcl to /etc/nomad.d/ and Nomad picks it up on restart.

Acceptance criteria

Fresh LXC + disinto init --backend=nomad --with forgejo,woodpecker: woodpecker-agent alloc reaches running state, no "privileged mode disabled" error.
nomad node status -self -verbose | grep -i docker shows driver.docker.privileged.enabled = true.

Labels / meta

backlog + bug-report. One character change.

Step 4 verification: woodpecker-agent fails with `"Docker privileged mode is disabled on this Nomad agent"`. ## Root cause `nomad/client.hcl` Docker plugin has `allow_privileged = false`. The woodpecker-agent jobspec (S3.2, #935) requires `privileged = true` to access docker.sock and spawn CI pipeline containers — matches the current docker-compose setup which also uses `privileged: true`. ## Fix `nomad/client.hcl` line with `allow_privileged = false` → `allow_privileged = true`. One line. After changing the repo file, `cluster-up.sh` already copies `client.hcl` to `/etc/nomad.d/` and Nomad picks it up on restart. ## Acceptance criteria - Fresh LXC + `disinto init --backend=nomad --with forgejo,woodpecker`: woodpecker-agent alloc reaches running state, no "privileged mode disabled" error. - `nomad node status -self -verbose | grep -i docker` shows `driver.docker.privileged.enabled = true`. ## Labels / meta - `backlog` + `bug-report`. One character change.