[systemd-devel] Fedora 21 and systemd-nspawn

Keller, Jacob E jacob.e.keller at intel.com
Tue Jul 14 11:40:31 PDT 2015 

On Mon, 2015-06-15 at 21:15 -0400, Chris Morgan wrote:
> On Monday, June 15, 2015, Lennart Poettering <lennart at poettering.net> 
> wrote:
> > On Mon, 15.06.15 13:22, Matthew Karas (mkarascybi at gmail.com) wrote:
> > 
> > > Yes - that seems to have let me set the password.  Now I can get
> > > started learning about this.
> > >
> > > Thanks a lot!
> > >
> > > Though it does return an error about selinux when I start the 
> > shell to
> > > set the password
> > >
> > > $ sudo systemd-nspawn -bD /srv/srv1
> > > Spawning container srv1 on /srv/srv1.
> > > Press ^] three times within 1s to kill container.
> > > Failed to create directory /srv/srv1//sys/fs/selinux: Read-only 
> > file system
> > > Failed to create directory /srv/srv1//sys/fs/selinux: Read-only 
> > file system
> > 
> > Hmm, weird. Is /srv/srv1 read-only or so?
> > 
> > Lennart
> > 
> > --
> > Lennart Poettering, Red Hat
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> > 
> 
> On a somewhat related topic, are many people making use of nspawn 
> containers in production or test environments? I was a little 
> surprised by the issues I had when trying them out with f21. f22 
> seems smoother but still required the audit=0 and I think I had to 
> disable selinux to set the password but I was trying for a while with 
> a blank password so...
> 
> But yeah, was wondering if there were known users of nspawn 
> containers that discussed their use cases.
> 
> Chris

I am using it to host instances of webservers. It's much easier and
more intuitive than using docker. I haven't tried rkt, but that appears
to use nspawn as the back end anyways.

Docker expects you to create separate "containers" for each
application, and expects to expose network in a certain specific way.
nspawn was able to simulate virtual machines, ie: full user space
systems. docker I had a lot of trouble trying to get setup and started,
and configured.

With nspawn, I just install the packages, run it as nspawn and away I
go. Since I'm just using it to provision network devices via macvlans
and separating processes, I did not worry about the security.
Basically, I assumed that since i controlled all the container
applications anyways, it should be fine.

So far it's worked out great. Far better than trying to manage
something as complex as docker, and it worked much more intuitively
with how virtual machines have worked in the past.

Regards,
Jake

More information about the systemd-devel mailing list