[systemd-devel] systemd config recipes for namespace-isolated webapps

[Martin Langhoff]

Hi folks!

At OLPC, I got an early chance to use and abuse systemd, and I like it
quite a bit.

We currently have ~500 identical VMs (created from kickstarts, kept
almost in sync via satellite), each hosts apache/mysql daemons, and 2
installs of the same PHP webapp (production, test).

Goal is to reduce the number of VMs radically, as memory and storage
overheads are killing us.

I am now looking at systemd (under F-19, RHEL7 later) and wondering
whether there are any recipes that can guide me a bit through setting
up webapps in CGs with suitable namespaces.

What I _think_ I need is

0 - one target per "customer", which in turn pulls in
1 - apache
2 - mysql
3 - cronjobs
4 - apache/tomcat/java setup {for some customers}
5 - sftp -- namespace-aware?

with 1,2 and 3 set to use the same CG. And stopping the target should
ensure all the CG is down/dead.

If possible, I prefer to avoid containers (and the associated chroot
maintenance).

High on the list of goals is to protect customers from data leakage,
so guidelines towards effective use of namespaces are sought here.

Pointers, hints, anyone else working in a similar direction?

cheers,



martin
ps: I have read all/most of LWN and Lennart's articles, but welcome a
gentle pointer if relevant...
--
 martin.langhoff at gmail.com
 -  ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 ~ http://docs.moodle.org/en/User:Martin_Langhoff