Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
systemd and Containers
Atmosphere, Kraków
May 2016
systemd and Containers
systemd on the host
systemd and Containers
systemd on the host
systemd in the container
systemd and Containers
systemd on the host
systemd in the container
systemd(-nspawn) as the container manager
systemd and Containers
systemd on the host:
systemd and Containers
systemd on the host:
systemd-machined + machinectl
systemd and Containers
systemd on the host:
systemd-machined + machinectl
machinectl terminate, machinectl shell, machinectl login, . . .
systemd...
systemd on the host:
systemd-machined + machinectl
machinectl terminate, machinectl shell, machinectl login, . . .
journal...
systemd on the host:
systemd-machined + machinectl
machinectl terminate, machinectl shell, machinectl login, . . .
journal...
systemd on the host:
systemd-machined + machinectl
machinectl terminate, machinectl shell, machinectl login, . . .
journal...
systemd in the container:
systemd and Containers
systemd in the container:
Should just work, many integration points under the hood:
systemd and Containers
systemd in the container:
Should just work, many integration points under the hood:
Provision machine UUID
systemd and Con...
systemd in the container:
Should just work, many integration points under the hood:
Provision machine UUID
Start a login p...
systemd in the container:
Should just work, many integration points under the hood:
Provision machine UUID
Start a login p...
systemd in the container:
Should just work, many integration points under the hood:
Provision machine UUID
Start a login p...
systemd(-nspawn) as the container manager:
systemd and Containers
systemd(-nspawn) as the container manager:
a minimal container manager is built in
systemd and Containers
systemd(-nspawn) as the container manager:
a minimal container manager is built in
machinectl start, machinectl enable, . ...
systemd(-nspawn) as the container manager:
a minimal container manager is built in
machinectl start, machinectl enable, . ...
systemd(-nspawn) as the container manager:
a minimal container manager is built in
machinectl start, machinectl enable, . ...
systemd(-nspawn) as the container manager:
a minimal container manager is built in
machinectl start, machinectl enable, . ...
Basic mode of operation:
systemd and Containers
Basic mode of operation:
Place an OS tree in /var/lib/machines/foo
systemd and Containers
Basic mode of operation:
Place an OS tree in /var/lib/machines/foo
Test it with systemd-nspawn -M foo
systemd and Containe...
Basic mode of operation:
Place an OS tree in /var/lib/machines/foo
Test it with systemd-nspawn -M foo
Enable it permanentl...
Basic mode of operation:
Place an OS tree in /var/lib/machines/foo
Test it with systemd-nspawn -M foo
Enable it permanentl...
Basic concept: “Full OS containers as a system service”
systemd and Containers
Basic concept: “Full OS containers as a system service”
Container foo is running as system service
systemd-nspawn@foo.serv...
Basic concept: “Full OS containers as a system service”
Container foo is running as system service
systemd-nspawn@foo.serv...
Acquiring the initial images:
systemd and Containers
Acquiring the initial images:
machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/.../Fedora-Cloud-Base-2014...
Acquiring the initial images:
machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/.../Fedora-Cloud-Base-2014...
Acquiring the initial images:
machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/.../Fedora-Cloud-Base-2014...
Image management:
systemd and Containers
Image management:
machinectl list-images,
systemd and Containers
Image management:
machinectl list-images, machinectl clone,
systemd and Containers
Image management:
machinectl list-images, machinectl clone, machinectl remove,
systemd and Containers
Image management:
machinectl list-images, machinectl clone, machinectl remove,
machinectl rename,
systemd and Containers
Image management:
machinectl list-images, machinectl clone, machinectl remove,
machinectl rename, machinectl read-only,
sy...
Image management:
machinectl list-images, machinectl clone, machinectl remove,
machinectl rename, machinectl read-only, ma...
Container configuration:
systemd and Containers
Container configuration:
On the command line
systemd and Containers
Container configuration:
On the command line
Or in .nspawn files
systemd and Containers
Example 1:
systemd-nspawn -M Fedora-Cloud-Base-20141203-21 --bind=/srv/foobar --port=80
systemd and Containers
Example 2: /etc/systemd/nspawn/Fedora-Cloud-Base-20141203-21.nspawn:
[Files]
Bind=/srv/foobar
[Network]
Port=80
systemd an...
Copying files in and out of a container:
systemd and Containers
Copying files in and out of a container:
machinectl copy-to foo ...
systemd and Containers
Copying files in and out of a container:
machinectl copy-to foo ...
machinectl copy-from foo ...
systemd and Containers
Copying files in and out of a container:
machinectl copy-to foo ...
machinectl copy-from foo ...
Also, bind mounting direct...
Copying files in and out of a container:
machinectl copy-to foo ...
machinectl copy-from foo ...
Also, bind mounting direct...
Networking Options:
systemd and Containers
Networking Options:
MACVLAN,
systemd and Containers
Networking Options:
MACVLAN, IPVLAN,
systemd and Containers
Networking Options:
MACVLAN, IPVLAN, veth,
systemd and Containers
Networking Options:
MACVLAN, IPVLAN, veth, bridge,
systemd and Containers
Networking Options:
MACVLAN, IPVLAN, veth, bridge, zone. . .
systemd and Containers
Networking Options:
MACVLAN, IPVLAN, veth, bridge, zone. . .
Port exposure
systemd and Containers
Networking Options:
MACVLAN, IPVLAN, veth, bridge, zone. . .
Port exposure
Automatic networkd handling with default configu...
Storage Options:
systemd and Containers
Storage Options:
bind mounts,
systemd and Containers
Storage Options:
bind mounts, read-only bind mounts,
systemd and Containers
Storage Options:
bind mounts, read-only bind mounts, tmpfs mounts,
systemd and Containers
Storage Options:
bind mounts, read-only bind mounts, tmpfs mounts, overlayfs
mounts,
systemd and Containers
Storage Options:
bind mounts, read-only bind mounts, tmpfs mounts, overlayfs
mounts, ephemeral snapshots . . .
systemd and...
Image formats:
systemd and Containers
Image formats:
simply directories,
systemd and Containers
Image formats:
simply directories, btrfs subvolumes,
systemd and Containers
Image formats:
simply directories, btrfs subvolumes, raw disk images
systemd and Containers
Security Options:
systemd and Containers
Security Options:
capabilities,
systemd and Containers
Security Options:
capabilities, SELinux contexts,
systemd and Containers
Security Options:
capabilities, SELinux contexts, user namespacing
systemd and Containers
And don’t forget: nspawn containers are normal system services,
hence regular resource management is supported:
systemctl ...
That’s all, folks!
systemd and Containers
Upcoming SlideShare
Loading in …5
×

Atmosphere 2016 - Lennart poettering - systemd and Containers

235 views

Published on



systemd as a core component of most of today's Linux distributions comes with built-in support for containers. It may host containers, it may run inside of containers, it integrates well with containers, and even comes with its own minimal container
manager, systemd-nspawn.

In this talk we'll discuss the various integration points systemd provides, and how the various facilities in systemd relate to the more well-known container projects like rkt, LXC or Docker.

Published in: Technology
  • Be the first to comment

Atmosphere 2016 - Lennart poettering - systemd and Containers

  1. 1. systemd and Containers Atmosphere, Kraków May 2016 systemd and Containers
  2. 2. systemd on the host systemd and Containers
  3. 3. systemd on the host systemd in the container systemd and Containers
  4. 4. systemd on the host systemd in the container systemd(-nspawn) as the container manager systemd and Containers
  5. 5. systemd on the host: systemd and Containers
  6. 6. systemd on the host: systemd-machined + machinectl systemd and Containers
  7. 7. systemd on the host: systemd-machined + machinectl machinectl terminate, machinectl shell, machinectl login, . . . systemd and Containers
  8. 8. systemd on the host: systemd-machined + machinectl machinectl terminate, machinectl shell, machinectl login, . . . journalctl -M, systemctl -M, loginctl -M, systemd-run -M, . . . systemd and Containers
  9. 9. systemd on the host: systemd-machined + machinectl machinectl terminate, machinectl shell, machinectl login, . . . journalctl -M, systemctl -M, loginctl -M, systemd-run -M, . . . nss-myhostname systemd and Containers
  10. 10. systemd on the host: systemd-machined + machinectl machinectl terminate, machinectl shell, machinectl login, . . . journalctl -M, systemctl -M, loginctl -M, systemd-run -M, . . . nss-myhostname Works for any container manager that registers with it systemd and Containers
  11. 11. systemd in the container: systemd and Containers
  12. 12. systemd in the container: Should just work, many integration points under the hood: systemd and Containers
  13. 13. systemd in the container: Should just work, many integration points under the hood: Provision machine UUID systemd and Containers
  14. 14. systemd in the container: Should just work, many integration points under the hood: Provision machine UUID Start a login prompt systemd and Containers
  15. 15. systemd in the container: Should just work, many integration points under the hood: Provision machine UUID Start a login prompt Socket activation systemd and Containers
  16. 16. systemd in the container: Should just work, many integration points under the hood: Provision machine UUID Start a login prompt Socket activation Configure network automatically (systemd-networkd) systemd and Containers
  17. 17. systemd(-nspawn) as the container manager: systemd and Containers
  18. 18. systemd(-nspawn) as the container manager: a minimal container manager is built in systemd and Containers
  19. 19. systemd(-nspawn) as the container manager: a minimal container manager is built in machinectl start, machinectl enable, . . . systemd and Containers
  20. 20. systemd(-nspawn) as the container manager: a minimal container manager is built in machinectl start, machinectl enable, . . . Focus 1: OS containers, i.e. containers that carry a full OS inside, including an init system systemd and Containers
  21. 21. systemd(-nspawn) as the container manager: a minimal container manager is built in machinectl start, machinectl enable, . . . Focus 1: OS containers, i.e. containers that carry a full OS inside, including an init system Focus 2: basic building block for other systems systemd and Containers
  22. 22. systemd(-nspawn) as the container manager: a minimal container manager is built in machinectl start, machinectl enable, . . . Focus 1: OS containers, i.e. containers that carry a full OS inside, including an init system Focus 2: basic building block for other systems See: rkt systemd and Containers
  23. 23. Basic mode of operation: systemd and Containers
  24. 24. Basic mode of operation: Place an OS tree in /var/lib/machines/foo systemd and Containers
  25. 25. Basic mode of operation: Place an OS tree in /var/lib/machines/foo Test it with systemd-nspawn -M foo systemd and Containers
  26. 26. Basic mode of operation: Place an OS tree in /var/lib/machines/foo Test it with systemd-nspawn -M foo Enable it permanently: machinectl enable foo systemd and Containers
  27. 27. Basic mode of operation: Place an OS tree in /var/lib/machines/foo Test it with systemd-nspawn -M foo Enable it permanently: machinectl enable foo Start it now: machinectl start foo systemd and Containers
  28. 28. Basic concept: “Full OS containers as a system service” systemd and Containers
  29. 29. Basic concept: “Full OS containers as a system service” Container foo is running as system service systemd-nspawn@foo.service systemd and Containers
  30. 30. Basic concept: “Full OS containers as a system service” Container foo is running as system service systemd-nspawn@foo.service Usual service management commands are supported systemd and Containers
  31. 31. Acquiring the initial images: systemd and Containers
  32. 32. Acquiring the initial images: machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/.../Fedora-Cloud-Base-20141203-21.x86_64.raw.xz systemd and Containers
  33. 33. Acquiring the initial images: machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/.../Fedora-Cloud-Base-20141203-21.x86_64.raw.xz systemd-nspawn -M Fedora-Cloud-Base-20141203-21 systemd and Containers
  34. 34. Acquiring the initial images: machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/.../Fedora-Cloud-Base-20141203-21.x86_64.raw.xz systemd-nspawn -M Fedora-Cloud-Base-20141203-21 (Implemented via systemd-importd) systemd and Containers
  35. 35. Image management: systemd and Containers
  36. 36. Image management: machinectl list-images, systemd and Containers
  37. 37. Image management: machinectl list-images, machinectl clone, systemd and Containers
  38. 38. Image management: machinectl list-images, machinectl clone, machinectl remove, systemd and Containers
  39. 39. Image management: machinectl list-images, machinectl clone, machinectl remove, machinectl rename, systemd and Containers
  40. 40. Image management: machinectl list-images, machinectl clone, machinectl remove, machinectl rename, machinectl read-only, systemd and Containers
  41. 41. Image management: machinectl list-images, machinectl clone, machinectl remove, machinectl rename, machinectl read-only, machinectl set-limit systemd and Containers
  42. 42. Container configuration: systemd and Containers
  43. 43. Container configuration: On the command line systemd and Containers
  44. 44. Container configuration: On the command line Or in .nspawn files systemd and Containers
  45. 45. Example 1: systemd-nspawn -M Fedora-Cloud-Base-20141203-21 --bind=/srv/foobar --port=80 systemd and Containers
  46. 46. Example 2: /etc/systemd/nspawn/Fedora-Cloud-Base-20141203-21.nspawn: [Files] Bind=/srv/foobar [Network] Port=80 systemd and Containers
  47. 47. Copying files in and out of a container: systemd and Containers
  48. 48. Copying files in and out of a container: machinectl copy-to foo ... systemd and Containers
  49. 49. Copying files in and out of a container: machinectl copy-to foo ... machinectl copy-from foo ... systemd and Containers
  50. 50. Copying files in and out of a container: machinectl copy-to foo ... machinectl copy-from foo ... Also, bind mounting directories: systemd and Containers
  51. 51. Copying files in and out of a container: machinectl copy-to foo ... machinectl copy-from foo ... Also, bind mounting directories: machinectl bind foo /srv/waldo systemd and Containers
  52. 52. Networking Options: systemd and Containers
  53. 53. Networking Options: MACVLAN, systemd and Containers
  54. 54. Networking Options: MACVLAN, IPVLAN, systemd and Containers
  55. 55. Networking Options: MACVLAN, IPVLAN, veth, systemd and Containers
  56. 56. Networking Options: MACVLAN, IPVLAN, veth, bridge, systemd and Containers
  57. 57. Networking Options: MACVLAN, IPVLAN, veth, bridge, zone. . . systemd and Containers
  58. 58. Networking Options: MACVLAN, IPVLAN, veth, bridge, zone. . . Port exposure systemd and Containers
  59. 59. Networking Options: MACVLAN, IPVLAN, veth, bridge, zone. . . Port exposure Automatic networkd handling with default configuration: in the container, and on the host systemd and Containers
  60. 60. Storage Options: systemd and Containers
  61. 61. Storage Options: bind mounts, systemd and Containers
  62. 62. Storage Options: bind mounts, read-only bind mounts, systemd and Containers
  63. 63. Storage Options: bind mounts, read-only bind mounts, tmpfs mounts, systemd and Containers
  64. 64. Storage Options: bind mounts, read-only bind mounts, tmpfs mounts, overlayfs mounts, systemd and Containers
  65. 65. Storage Options: bind mounts, read-only bind mounts, tmpfs mounts, overlayfs mounts, ephemeral snapshots . . . systemd and Containers
  66. 66. Image formats: systemd and Containers
  67. 67. Image formats: simply directories, systemd and Containers
  68. 68. Image formats: simply directories, btrfs subvolumes, systemd and Containers
  69. 69. Image formats: simply directories, btrfs subvolumes, raw disk images systemd and Containers
  70. 70. Security Options: systemd and Containers
  71. 71. Security Options: capabilities, systemd and Containers
  72. 72. Security Options: capabilities, SELinux contexts, systemd and Containers
  73. 73. Security Options: capabilities, SELinux contexts, user namespacing systemd and Containers
  74. 74. And don’t forget: nspawn containers are normal system services, hence regular resource management is supported: systemctl set-property systemd-nspawn@foobar.service MemoryLimit=3G systemd and Containers
  75. 75. That’s all, folks! systemd and Containers

×