[systemd-devel] Container, private network and socket activation

Lennart Poettering lennart at poettering.net
Tue Feb 3 13:06:04 PST 2015 

On Tue, 03.02.15 20:45, Mikhail Morfikov (mmorfikov at gmail.com) wrote:

> > Also note that using socket activation for cotnainers means that
> > systemd instance inside the container also needs to have configuration
> > for the socket, to pass it on to the service that ultimately shall
> > answer for it. Are you sure that apache2 has support for that, and
> > that you set it up?
> 
> Actually, I just want to start the container when someone else tries to
> connect to the port 80 of the host, just using the container's IP
> address. So, for instance, my host has IP 192.168.1.150, the container
> has IP 192.168.10.10 , and I want to type the second address in a web
> browser so the system in the container could boot and start apache.

Hmm, to implement something like this I think the best option would be
to set up the interface to later pass to the container first on the
host, then listen on the container's IP address on the host. When a
connection comes in the container would have to be started via socket
activation, and would then have to take over the container interface
(with --network-interface=), so that all further connections are
delivered directly to the container and the host is not involved
anymore. 

This way you'd still have two seperate network namespaces, but the
interface would change namespace during activation of the container,
so that first the host owns it and processes it and then the
container.

Of course, either way you'd need socket activation support in your
Apache. And I don't think Apache provides that right now out of the
box...

Also note that ther's a slight security risk here: the socket that is
used for activation is from the hosts's namespace. Using the old BSD
netdev ioctls like SIOCGIFCONF will reveal the host's network setup,
not the container's setup.

> Then I could browse the page that is hosted by the apache server inside
> of the container. I'm not sure if that's even possible, but apache
> inside of the container starts at boot automatically, so I think there's
> no need for setting anything in the container -- please correct me if
> I'm wrong.

Socket activation is somethings daemons need to support
explicitly. Many do these days, but I don't think Apache is one of
them.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list