[systemd-devel] Container, private network and socket activation
Mikhail Morfikov
mmorfikov at gmail.com
Wed Feb 4 15:50:31 PST 2015
> That indicates that the systemd or apache inside the container do not
> correctly make use of the the socket passed into them. You need to
> make sure that inside the container you have pretty much the same
> .socket unit running as on the host. The ListStream lines must be
> identical, so that systemd inside the container recognizes the sockets
> passed in from the host as the ones to use for apache. The only
> difference for the socket units is that on the host they should
> activate the container, in the container they should activate apache.
> ...
> Well, because the socket wasn't passed on right the connection on it
> will still be queued after the container exits again. systemd will
> thus immediately spawn the container again.
>
> Basically, if you fix your issue #1, your issue #3 will be magically
> fixed too.
Now I understand the mechanizm, at least I think so.
Unfortunately I have apache 2.4.x . I tried to apply the patches
Christian Seiler mentioned, but I was unable to build the package. I
think I have to wait a little bit longer in order to make it work.
Anyway, I tried to reproduce the ssh example (it can be found here:
http://0pointer.net/blog/projects/socket-activated-containers.html)
just for testing purposes, and I dont't experience the rebooting issue
anymore, but there's another thing:
morfik:~$ ssh -p 23 192.168.10.10
^C
morfik:~$ ssh -p 23 192.168.10.10
ssh: connect to host 192.168.10.10 port 23: Connection refused
The container started when I had tried to connect for the first
time, but I couldn't connect to this port after that, and I have no
idea why. I tried to figure out what went wrong, but I failed.
# machinectl status debian-tree -l --no-pager
debian-tree
Since: Thu 2015-02-05 00:21:41 CET; 1min 16s ago
Leader: 103953 (systemd)
Service: nspawn; class container
Root: /media/Kabi/debian-tree
Address: 192.168.10.10
fe80::1474:8dff:fe79:6b44
OS: Debian GNU/Linux 8 (jessie)
Unit: machine-debian\x2dtree.scope
├─103953 /lib/systemd/systemd 3
└─system.slice
├─dbus.service
│ └─104069 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─cron.service
│ └─104043 /usr/sbin/cron -f
├─apache2.service
│ ├─104481 /usr/sbin/apache2 -k start
│ ├─104485 /usr/sbin/apache2 -k start
│ ├─104511 /usr/sbin/apache2 -k start
│ ├─104512 /usr/sbin/apache2 -k start
│ ├─104513 /usr/sbin/apache2 -k start
│ ├─104515 /usr/sbin/apache2 -k start
│ └─104516 /usr/sbin/apache2 -k start
├─system-sshd.slice
│ └─sshd at 0-192.168.10.10:23-192.168.10.10:51767.service
│ ├─104041 sshd: [accepted]
│ └─104042 sshd: [net]
├─systemd-journald.service
│ └─103975 /lib/systemd/systemd-journald
├─systemd-logind.service
│ └─104046 /lib/systemd/systemd-logind
├─mysql.service
│ ├─104090 /bin/sh /usr/bin/mysqld_safe
│ └─104453 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=4444
├─console-getty.service
│ └─104208 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
└─rsyslog.service
└─104088 /usr/sbin/rsyslogd -n
Then I logged into the container:
root:~# machinectl login debian-tree
...
root at www:/home/morfik# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.10.10:4444 0.0.0.0:* LISTEN 483/mysqld
tcp6 0 0 :::80 :::* LISTEN 511/apache2
tcp6 0 0 :::22 :::* LISTEN 1/systemd
tcp6 0 0 :::443 :::* LISTEN 511/apache2
Nothing listens on the port 23, why?
Still inside of the container:
root at www:/home/morfik# tree /etc/systemd/system
/etc/systemd/system
|-- getty.target.wants
| `-- getty at tty1.service -> /lib/systemd/system/getty at .service
|-- multi-user.target.wants
| |-- cron.service -> /lib/systemd/system/cron.service
| |-- remote-fs.target -> /lib/systemd/system/remote-fs.target
| `-- rsyslog.service -> /lib/systemd/system/rsyslog.service
|-- sockets.target.wants
| |-- ssh.socket -> /lib/systemd/system/ssh.socket
| `-- sshd.socket -> /etc/systemd/system/sshd.socket
|-- sshd.socket
|-- sshd at .service
`-- syslog.service -> /lib/systemd/system/rsyslog.service
3 directories, 9 files
root at www:/home/morfik# cat /etc/systemd/system/sshd.socket
[Unit]
Description=SSH Socket for Per-Connection Servers
[Socket]
ListenStream=192.168.10.10:23
Accept=yes
[Install]
WantedBy=sockets.target
root at www:/home/morfik# cat /etc/systemd/system/sshd at .service
[Unit]
Description=SSH Per-Connection Server for %I
[Service]
ExecStart=-/usr/sbin/sshd -i
StandardInput=socket
root at www:/home/morfik# systemctl status sshd.socket
● sshd.socket - SSH Socket for Per-Connection Servers
Loaded: loaded (/etc/systemd/system/sshd.socket; enabled)
Active: active (listening) since Wed 2015-02-04 23:21:41 UTC; 9min ago
Listen: 192.168.10.10:23 (Stream)
Accepted: 1; Connected: 0
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
So it accepted one connection, started the container, and
something went wrong, even though it says that everything is ok.
I don't know why the journal warning shows up, it always appears
after starting the container.
Anyway, I tried to restart it:
root at www:/home/morfik# systemctl restart sshd.socket
root at www:/home/morfik# systemctl status sshd.socket
● sshd.socket - SSH Socket for Per-Connection Servers
Loaded: loaded (/etc/systemd/system/sshd.socket; enabled)
Active: active (listening) since Wed 2015-02-04 23:32:36 UTC; 1s ago
Listen: 192.168.10.10:23 (Stream)
Accepted: 1; Connected: 0
Feb 04 23:32:36 www systemd[1]: Stopping SSH Socket for Per-Connection Servers.
Feb 04 23:32:36 www systemd[1]: Starting SSH Socket for Per-Connection Servers.
Feb 04 23:32:36 www systemd[1]: Listening on SSH Socket for Per-Connection Servers.
and:
root at www:/home/morfik# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.10.10:23 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.10.10:4444 0.0.0.0:* LISTEN 483/mysqld
tcp6 0 0 :::80 :::* LISTEN 511/apache2
tcp6 0 0 :::22 :::* LISTEN 1/systemd
tcp6 0 0 :::443 :::* LISTEN 511/apache2
So now it works, and I can connect via ssh -p 23 192.168.10.10 from the host,
and after doing so:
root at www:/home/morfik# systemctl status sshd.socket
● sshd.socket - SSH Socket for Per-Connection Servers
Loaded: loaded (/etc/systemd/system/sshd.socket; enabled)
Active: active (listening) since Wed 2015-02-04 23:32:36 UTC; 1min 52s ago
Listen: 192.168.10.10:23 (Stream)
Accepted: 2; Connected: 1
Feb 04 23:32:36 www systemd[1]: Stopping SSH Socket for Per-Connection Servers.
Feb 04 23:32:36 www systemd[1]: Starting SSH Socket for Per-Connection Servers.
Feb 04 23:32:36 www systemd[1]: Listening on SSH Socket for Per-Connection Servers.
The socket is linked, but apparently it doesn't start at boot. Any idea?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150205/335caaa4/attachment.sig>
More information about the systemd-devel
mailing list