[systemd-devel] socket-activated containers with domain sockets

Lennart Poettering lennart at poettering.net
Mon May 18 09:36:13 PDT 2015

On Sat, 16.05.15 16:01, Simon Peeters (peeters.simon at gmail.com) wrote:

> hej all.
> I have a kind off weird setup using socket-activated containers:
> nginx on the host listens on port 80 and has a 'proxy_pass
> http://unix:/run/http/$host;' directive.
> then I have webserver at .socket listening on 'ListenStream=/run/http/%I'
> which in turn activates a container.
> this works fine with the following 'nginx-container at .service'
> [Service]
> ExecStart=/usr/bin/systemd-nspawn --private-network
> --bind=/srv/%i:/srv/http -D /var/lib/machines/nginx_base -x -M
> "nginx_%i" /usr/bin/nginx -g 'daemon off;'
> [Install]
> Also=webserver@%i.socket
> Alias=webserver@%i.service
> witch runs a (patched) nginx as only binary in that container.
> now I want to run systemd in such a container to run both nginx and nodejs.
> the problem is, what should be in my 'nginx.socket' in order to pass
> on that first socket systemd gets, which is a UDS outside of the
> container?

The way how daemons usually recognize the AF_UNIX fds passed to them during
socket activation is that they stat() the paths of the sockets
that could match and then compare that with fstat() of the fd they
have. If inode and device match they assume its the same socket.

This of course makes things difficult in an nspawn container, if the
AF_UNIX socket is bound on the host, since you cannot stat() it by
path then. 

A possible fix is to use --bind= on the AF_UNIX socket node, and thus
make it available in the container. Then if the container runs stat()
on the node, and comapres it with the fstat() of the fd it got, all
should be good.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list