[systemd-devel] Container, private network and socket activation

Mikhail Morfikov mmorfikov at gmail.com
Mon Feb 2 17:36:30 PST 2015 

I've set up a container via systemd-nspawn tool, and I wanted to use the private network feature.
The line that launches the container includes --network-bridge= and --network-veth options.
The whole systemd .service file looks like this:

[Unit]
Description=My little container

[Service]
Type=simple
KillMode=process
ExecStart=/usr/bin/systemd-nspawn -jbD /media/Kabi/debian-tree/ \
	--network-bridge=br_lxc \
	--network-veth \
	--bind /media/Kabi/apache/:/apache/ \
	--bind /media/Kabi/backup_packages/apt/archives/:/var/cache/apt/archives/ \
	--bind /media/Kabi/repozytorium:/repozytorium \
	3
	
The bridge interface was created through the /etc/network/interface file, and it looks as follows:

auto br_lxc
iface br_lxc inet static
	address 192.168.10.100
	netmask 255.255.255.0
	broadcast 192.168.10.255
	bridge_ports none
	bridge_waitport 0
	bridge_fd 0

The container is able to boot:

# systemctl status mycontainer.service
● mycontainer.service - My little container
   Loaded: loaded (/etc/systemd/system/mycontainer.service; static; vendor preset: enabled)
   Active: active (running) since Tue 2015-02-03 01:57:24 CET; 12s ago
 Main PID: 84905 (systemd-nspawn)
   CGroup: /system.slice/mycontainer.service
           └─84905 /usr/bin/systemd-nspawn -jbD /media/Kabi/debian-tree/ --network-bridge=br_lxc --network-veth --bind /media/Kabi/apache/:/apache/ --bind /media/Kabi/backup_packages/apt/arch...

Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [  OK  ] Started Console Getty.
Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [  OK  ] Reached target Login Prompts.
Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [  OK  ] Started System Logging Service.
Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [  OK  ] Started Cleanup of Temporary Directories.
Feb 03 01:57:27 morfikownia systemd-nspawn[84905]: [  OK  ] Started LSB: Start and stop the mysql database server daemon.
Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: [  OK  ] Started LSB: Apache2 web server.
Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: [  OK  ] Reached target Multi-User System.
Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: Starting Update UTMP about System Runlevel Changes...
Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: [  OK  ] Started Update UTMP about System Runlevel Changes.
Feb 03 01:57:29 morfikownia systemd-nspawn[84905]: Debian GNU/Linux 8 www console

# machinectl
MACHINE                          CONTAINER SERVICE
debian-tree                      container nspawn

1 machines listed.

# machinectl status debian-tree
debian-tree
           Since: Tue 2015-02-03 01:57:24 CET; 2min 54s ago
          Leader: 84906 (systemd)
         Service: nspawn; class container
            Root: /media/Kabi/debian-tree
           Iface: br_lxc
         Address: 192.168.10.10
                  fe80::541b:d0ff:febc:c38c%7
              OS: Debian GNU/Linux 8 (jessie)
            Unit: machine-debian\x2dtree.scope
                  ├─84906 /lib/systemd/systemd 3
                  └─system.slice
                    ├─dbus.service
                    │ └─85024 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
                    ├─cron.service
                    │ └─85003 /usr/sbin/cron -f
                    ├─apache2.service
                    │ ├─85427 /usr/sbin/apache2 -k start
                    │ ├─85454 /usr/sbin/apache2 -k start
                    │ ├─85485 /usr/sbin/apache2 -k start
                    │ ├─85486 /usr/sbin/apache2 -k start
                    │ ├─85488 /usr/sbin/apache2 -k start
                    │ ├─85489 /usr/sbin/apache2 -k start
                    │ └─85491 /usr/sbin/apache2 -k start
                    ├─systemd-journald.service
                    │ └─84941 /lib/systemd/systemd-journald
                    ├─systemd-logind.service
                    │ └─85006 /lib/systemd/systemd-logind
                    ├─mysql.service
                    │ ├─85057 /bin/sh /usr/bin/mysqld_safe
                    │ └─85415 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run...
                    ├─console-getty.service
                    │ └─85055 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
                    └─rsyslog.service
                      └─85051 /usr/sbin/rsyslogd -n


Inside of the container I added the following configuration to its network interface:

auto host0
iface host0 inet static
        address 192.168.10.10
        network 192.168.10.0/24
        netmask 255.255.255.0
        broadcast 192.168.10.255
        gateway 192.168.10.100
        
Communication works (ping from the container):

root at www:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=32.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=52 time=32.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=52 time=30.3 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 30.377/31.754/32.600/1.003 ms

I'm also able to visit the apache page from the host:

$ curl 192.168.10.10
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
...

Here are the relevant interfaces on the host:

...
br_lxc    Link encap:Ethernet  HWaddr ae:7f:0e:ec:9f:56
          inet addr:192.168.10.100  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::8867:45ff:fe62:f014/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:296686 (289.7 KiB)  TX bytes:66196 (64.6 KiB)
...
vb-debian-tree Link encap:Ethernet  HWaddr ae:7f:0e:ec:9f:56
          inet6 addr: fe80::ac7f:eff:feec:9f56/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:648 (648.0 B)  TX bytes:648 (648.0 B)
...

and inside of the container:

host0     Link encap:Ethernet  HWaddr 56:1b:d0:bc:c3:8c
          inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::541b:d0ff:febc:c38c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:648 (648.0 B)  TX bytes:648 (648.0 B)

and the bridge:

# brctl show
bridge name     bridge id               STP enabled     interfaces
br_lxc          8000.ae7f0eec9f56       no              vb-debian-tree

So, everything works pretty well. 

Now there's a problem, how to add socket activation to this container?

I tried to add the mycontainer.socket systemd file, which looks like this:

[Unit]
Description=The HTTP/HTTPS socket of my little container

[Socket]
ListenStream=192.168.10.10:80
ListenStream=192.168.10.10:443
FreeBind=true

The option FreeBind is required -- otherwise the socket can't listen because there's no such 
interface with that IP.

When I start the socket, I get the following:

# systemctl start mycontainer.socket
# systemctl status mycontainer.socket
● mycontainer.socket - The HTTP/HTTPS socket of my little container
   Loaded: loaded (/etc/systemd/system/mycontainer.socket; static; vendor preset: enabled)
   Active: active (listening) since Tue 2015-02-03 02:10:04 CET; 12s ago
   Listen: 192.168.10.10:80 (Stream)
           192.168.10.10:443 (Stream)

Feb 03 02:10:04 morfikownia systemd[1]: Starting The HTTP/HTTPS socket of my little container.
Feb 03 02:10:04 morfikownia systemd[1]: Listening on The HTTP/HTTPS socket of my little container.

But when I try to connect to the apache inside of the container, I get this:

$ curl 192.168.10.10
curl: (7) Failed to connect to 192.168.10.10 port 80: No route to host

The container doens't boot. And I don't get it, socket is listening:

# netstat -tupan | grep init
tcp        0      0 192.168.10.10:80        0.0.0.0:*               LISTEN      1/init
tcp        0      0 192.168.10.10:443       0.0.0.0:*               LISTEN      1/init
tcp6       0      0 :::6566                 :::*                    LISTEN      1/init

So, why the container isn't activated when the connection comes to the ports?

The following message comes from iptables, maybe it can be useful:

Feb 03 02:20:30 morfikownia kernel: *IPTABLES*IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.10.100 DST=192.168.10.100 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=45138 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.10.100 DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16054 DF PROTO=TCP SPT=59539 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 ]

When the container is up (the manual way, without the socket) and everything works as it should, the message looks like this:

Feb 03 02:22:46 morfikownia kernel: *IPTABLES*IN=br_lxc OUT= PHYSIN=vb-debian-tree MAC=ae:7f:0e:ec:9f:56:56:1b:d0:bc:c3:8c:08:00 SRC=192.168.10.10 DST=192.168.10.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=59568 WINDOW=28960 RES=0x00 ACK SYN URGP=0

I've been trying to solve this, but I have really no idea what's wrong and how to fix this issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150203/4edc5ecf/attachment-0001.sig>

More information about the systemd-devel mailing list