[systemd-devel] systemd config recipes for namespace-isolated webapps
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Wed Jul 3 07:49:09 PDT 2013
On Wed, Jul 03, 2013 at 07:40:33AM -0400, Martin Langhoff wrote:
> On Wed, Jul 3, 2013 at 12:53 AM, Zbigniew Jędrzejewski-Szmek
> <zbyszek at in.waw.pl> wrote:
> > I haven't really tried anythng like what you describe, but in general
> > both container and container-less approaches should work.
>
> Thanks for your reply. Yes, I get the sense that "in general, it
> should work". As usual, the devil's in the details...
>
> In both container and container-less cases...
>
> - How do I handle cronjobs?
With systemd .timers and systemd .services activated by those timers. If
you mean "real" cronjobs, I don't know.
> - How do I tell several services to use the "same" cg?
They can't all use the same cg, because systemd uses groups to group
units. But they can share a slice of resources, by assigning a group
of services to the same systemd .slice. This part is currently in
fast development, but should be usable already.
> Then... if I setup a single chroot and try to launch many containers
> on top of it...
>
> - does the "stateless" service work?
In general, systemd is happy to only write to /run, which won't be shared,
so going with an read-only root should work.
> - how can I "key" stateless writable dirs on a per-container instance?
You can add a template .service which will mount some directory,
let's say /var/lib/container/etc, and make it PartOf the .service
launching the container. IIRC, templated .mount units are not possible
currently, but the same should be achievable with an explicit mount
command.
Zbyszek
More information about the systemd-devel
mailing list