[systemd-devel] Container, private network and socket activation
Lennart Poettering
lennart at poettering.net
Wed Feb 11 11:58:05 PST 2015
On Thu, 05.02.15 00:50, Mikhail Morfikov (mmorfikov at gmail.com) wrote:
> > That indicates that the systemd or apache inside the container do not
> > correctly make use of the the socket passed into them. You need to
> > make sure that inside the container you have pretty much the same
> > .socket unit running as on the host. The ListStream lines must be
> > identical, so that systemd inside the container recognizes the sockets
> > passed in from the host as the ones to use for apache. The only
> > difference for the socket units is that on the host they should
> > activate the container, in the container they should activate apache.
> > ...
> > Well, because the socket wasn't passed on right the connection on it
> > will still be queued after the container exits again. systemd will
> > thus immediately spawn the container again.
> >
> > Basically, if you fix your issue #1, your issue #3 will be magically
> > fixed too.
>
> Now I understand the mechanizm, at least I think so.
>
> Unfortunately I have apache 2.4.x . I tried to apply the patches
> Christian Seiler mentioned, but I was unable to build the package. I
> think I have to wait a little bit longer in order to make it work.
>
> Anyway, I tried to reproduce the ssh example (it can be found here:
> http://0pointer.net/blog/projects/socket-activated-containers.html)
> just for testing purposes, and I dont't experience the rebooting issue
> anymore, but there's another thing:
>
> morfik:~$ ssh -p 23 192.168.10.10
> ^C
> morfik:~$ ssh -p 23 192.168.10.10
> ssh: connect to host 192.168.10.10 port 23: Connection refused
So I figure this is what happens:
The host listens on 192.168.10.10:23. On the first connection it
spawns the container, passes the fd in. The systemd in the container
gets the fd, figures out it matches to ssh.socket, assigns it to
it. It then never does anything anymore on it. This means, the only
socket the container is listening on is the one from the host, but
that one will never receive any connections anymore, since the host
doesn''t have the iface anymore...
So, to fix this, the container needs to listen on two sockets, that
look very very similar. Both are bound to 192.168.10.10:23, execept
that one actually is the one from the host's namespace, the other from
the container namespace.
I never played around with this, but I think all you need to do to
make this work is duplicate the ListenStream= line in your .socket
unit. That way the fd passed in will be matched to the first of the
two lines, and the second line will cause a new fd from the
container's namesapce to be bound.
Ugly? Absolutely! But should work...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list