Creating a bootstrap token:

/ # nomad acl bootstrap

Accessor ID  = b93427a5-b064-7306-7ff7-c1e66d9f706e
Secret ID    = 7f1d8116-4b35-bcf6-6f8b-AAAAAAAAAAAA
Name         = Bootstrap Token
Type         = management
Global       = true
Create Time  = 2025-11-23 15:53:39.697500425 +0000 UTC
Expiry Time  = <none>
Create Index = 31
Modify Index = 31
Policies     = n/a
Roles        = n/a

this toke has ultimate access to nomad’s API.

Docker compose file

docker-compose.yml:

services:
  nomad-server:
    image: hashicorp/nomad:1.11
    command: agent -config=/etc/nomad -bind=0.0.0.0 -data-dir=/nomad/data
    ports:
      - "4646:4646" # UI/API
      - "4647:4647" # RPC
      - "4648:4648" # Serf
    volumes:
      - nomad-server-data:/nomad/data
      - /opt/nomad-server/etc/nomad:/etc/nomad
    cap_add:
      - NET_ADMIN

  nomad-client1:
    image: hashicorp/nomad:1.11
    privileged: true
    command: agent -client -config=/etc/nomad -bind=0.0.0.0 -data-dir=/nomad/data
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - nomad-client1-data:/nomad/data
      - /opt/nomad-client1/etc/nomad:/etc/nomad
      - /sys:/sys
    cap_add:
      - NET_ADMIN

  nomad-client2:
    image: hashicorp/nomad:1.11
    privileged: true
    command: agent -client -config=/etc/nomad -bind=0.0.0.0 -data-dir=/nomad/data
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - nomad-client2-data:/nomad/data
      - /opt/nomad-client2/etc/nomad:/etc/nomad
      - /sys:/sys
    cap_add:
      - NET_ADMIN
#    environment:
#      - NOMAD_CLIENT_INTRO_TOKEN=eyJhbGciBBBBBB

volumes:
  nomad-server-data:
  nomad-client1-data:
  nomad-client2-data:

it’s important to specify version nomad:1.11, nomad:latest would download a commercial version.

Server config

server {
  enabled = true
  bootstrap_expect = 1
  client_introduction {
    enforcement = "strict"
  }
}

acl {
  enabled = true
}

  • enforcement = "strict" means that clients (nodes) must supply NOMAD_CLIENT_INTRO_TOKEN to join the cluster

Generating intro token

  • start shell on the server instance

docker exec -it nomad-learn-nomad-server-1 sh

  • supply bootstrap token from the firts step export NOMAD_TOKEN=7f1d8116-4b35-bcf6-6f8b-AAAAAAAAAAAA

  • generate JWT # nomad node intro create

Successfully generated client introduction token:

eyJhbBBBBBBBBBBB
/ #

Thereafter that token can be used to join nodes to server, see docker compose file.

Client (node) config

# client.hcl
server {
  enabled = false
}

client {
  enabled = true

  server_join {
    retry_join = ["10.20.1.22:4647"]
  }
}


consul {
  client_auto_join = false
}

where 10.20.1.22:4647 GRPC IP:PORT of the server.