[systemd-devel] Systemd usage wrt libvirt-sandbox

Daniel P. Berrange berrange at redhat.com
Thu Mar 1 07:29:05 PST 2012 

The libvirt-sandbox project[1] is providing an API and command line tools for
constructing application sandboxes. It uses either LXC or KVM virtualization
via libvirt, to confine execution of an application binary, giving it a
read-only view of the host root filesystem, with custom writable areas
grafted onto selected paths. eg if running httpd inside a sandbox, we give
it a private /etc/httpd and /var/www, etc.

The idea is to get the security isolation benefits of virtualization
technology, without the administrative burden of extra OS installs
that it normally entails. As such the only processes running inside
each sandbox are the application being confined, and a minimal custom
"init" binary provided by libvirt-sandbox itself.

As we expand our use cases though, particularly to cover the "secure
containers" feature[2] in Feora 17, it is clear that if we're not
careful, our miniml "libvirt-sandbox-init-common" binary is going
turn into a poor mans' copy of systemd. We want to avoid that, and
instead actually make use of systemd directly.

Since the sandbox shares the same root filesystem as the host, we
can't simply exec 'systemd' as is. We'll need to setup a few custom
writable mounts, where we write out custom units / targets, and
let systemd keep any state.

So I'm trying to figure out just what is the absolute minimal setup we
can configure for systemd. Our primary target for development is to
sandbox apache. So I'd like to figure out what minimal config / directory
structure I need to create to run systemd and have it only run apache,
and a login shell (for debug inside the sandbox).

I'm guessing that I can perhaps get away with setting up an override
of the host's /etc/systemd, and writing out custom basic.target
and default.target unit files, which merely running httpd.unit and
a shell ?

Regards,
Daniel

[1] http://berrange.com/tags/libvirt-sandbox/
    http://libvirt.org/git/?p=libvirt-sandbox.git;a=summary
    https://fedoraproject.org/wiki/Features/VirtSandbox

[2] https://fedoraproject.org/wiki/Features/SecureContainers
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the systemd-devel mailing list