[systemd-devel] systemd config recipes for namespace-isolated webapps

[Lennart Poettering]

On Wed, 03.07.13 07:40, Martin Langhoff (martin.langhoff at gmail.com) wrote:

> On Wed, Jul 3, 2013 at 12:53 AM, Zbigniew Jędrzejewski-Szmek
> <zbyszek at in.waw.pl> wrote:
> > I haven't really tried anythng like what you describe, but in general
> > both container and container-less approaches should work.
> 
> Thanks for your reply. Yes, I get the sense that "in general, it
> should work". As usual, the devil's in the details...
> 
> In both container and container-less cases...
> 
>  - How do I handle cronjobs?

You could user timer units instead.

>  - How do I tell several services to use the "same" cg?

In F20 with slices and everything is awesome. F19 you could use the
ControlGroup= settings, but this is really awful and very manual.

> Then... if I setup a single chroot and try to launch many containers
> on top of it...
> 
>  - does the "stateless" service work?

You could do this with nspawn. You could use the same /etc, /usr, and
everything else, and use --bind= to mount different /home and /var into
the containers. systemd-nspawn will take care of a private /run for you,
and systemd in the container will take care of a private /tmp.

>  - how can I "key" stateless writable dirs on a per-container instance?

--bind and --bin-ro.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.