[systemd-devel] Waiting for nspawn services

Lennart Poettering lennart at poettering.net
Mon Oct 27 08:32:54 PDT 2014 

On Mon, 27.10.14 11:24, Rich Freeman (r-systemd at thefreemanclan.net) wrote:

> On Mon, Oct 27, 2014 at 10:49 AM, Lennart Poettering
> <lennart at poettering.net> wrote:
> > In general I think making use of socket notification here would be the
> > much better option, as it removes the entire need for ordering things
> > here. nspawn already support socket activation just fine. If your
> > mysql container would use this, then you could start the entire mysql
> > container at the same time as the mysql client without any further
> > complexity or synchronization, and it would just work.
> 
> Is socket activation supported for nspawn containers that use network
> namespaces? 

Yes. The socket passed in doesn't have to be from the same namespace
as the container runs in. It's kinda cool, as this allows locking down
containers pretty strictly, but still granting them access on some
very specific listening socket.

(Note though that ymmv on this, because depending on the software you
use it might want to reverse-dns lookup incomoing connections, and
that would fail if the container doesn't have network access to do
DNS... That said, if mysql would do reverse-dns of all incoming
connections it would be really stupid...)

> Incoming connections would not be pointed at the host IP,
> but at the container's IP, which the host wouldn't otherwise be
> listening on since the interface for it does not yet exist.
> 
> Or do I need to move everything to different port numbers and use the host IP?

Network namespaces are relevant for the process that originally binds
the sockets. In the case of socket-activated containers that would be
the host. If you then pass the fds into the containers and those are
locked into their own namespaces, then any sockets they create and
bind would be from their own namepsace, but the one they got passed in
would still be from the original host namespace. If they then accept a
connection on that passed-in socket that connection socket would also
be part of the same host namespace -- not of the containers.

Hence, two rules:

a) if you have a socket, then all sockets you derive from it via
   accept() stay part of the same namespace as that original socket.

b) any new sockets you generate via socket() are part of whatever
   network namespace your process is currently in.

Hope that makes sense?

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list