Gábor Nyers, profile picture
Uploaded byGábor Nyers
PDF, PPTX5,617 views

Containers with systemd-nspawn

The document discusses systemd-nspawn, a container management tool that serves as a more advanced version of chroot, allowing for efficient management and testing of Linux containers. It covers practical examples of creating application and bootable OS containers, networking configurations, and systemd's role in process management and service control. There are also mentions of its adoption in various Linux distributions and comparisons with other container technologies like Docker.

Embed presentation

Download as PDF, PPTX
Containers with systemd-nspawn Gábor Nyers Consultant & Trainer @Trebut gnyers@trebut.com @gabornyers
Agenda ● An example systemd-nspawn container ● What is systemd-nspawn and systemd ● Related Concept: Kernel CGroups ● Bootable containters ● Containers as Service ● Advanced topic: Socket Activation
3 An example systemd-nspawn container
4 A Simple Application Container • Start up container • List of processes • Try to install package ‣ Limited footprint and exposure! • On host OS: list kernel control groups: # systemd-nspawn -jD /srv/containers/opensuse132/ -M opensuse132c0 /bin/bash # opensuse132c0:~ # ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 04:16 ? 00:00:00 -bash root 43 1 0 04:18 ? 00:00:00 ps -ef # opensuse132c0:~ # zypper install wget -bash: zypper: command not found # # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. physnode1:~ # # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-opensuse132c0.scope │ └─18329 -bash […] # ps -ef -o pid,ppid,machine,cmd
5 Create application container • Bootstrap directory • Install a few packages # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/oss/ repo-oss # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/non-oss/ repo-non-oss # zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 install bash procps coreutils vim
6 systemd-nspawn • What is systemd? • What is systemd-nspawn? • Adoption
7 What is systemd? 1/3 • a system- and session manager for Linux, • provides aggressive parallelization capabilities, (no shell during boot!) • uses socket and D-Bus activation for starting services, • offers on-demand starting of services, • keeps track of processes using Linux cgroups,
8 What is systemd? 2/3 • supports restoring the system's state to a predefined state, • maintains mount and auto-mount points, • provides dependency based service control logic, • provides replacement for a nr. of well-known tools, e.g.: udev, automount, inetd, consolekit and syslog, • a drop-in replacement for sysvinit
9 What is systemd? 3/3 There is a lot of criticism and opinions as well... • “It's not the UNIX way” referring to the “do one thing and do it well” maxim • “It's monolithic” • “It introduces too many dependencies” • (and worse) ... but we won't be addressing these today :-)
10 An aside: People and Innovation... “If I had asked people what they wanted, they would have said faster horses” Henry Ford
11 What is systemd-nspawn? • “chroot on steroids...” • Invented for debug and test of systemd development • Turns out to be a great container manager • systemd-nspawn vs. docker ‣ Management container vs. container+images ‣ Inherited networking vs. Need to set up networking
12 systemd adoption Distribution Added to repositories Enabled by default? Released as default SUSE Linux Enterprise v12 Yes Yes openSUSE v11.4 Yes v12.2 (2012) Fedora v15 (2011) Yes v15 (2011) Red Hat Linux Enterprise v7 (2014) Yes v7 (2014) Debian in 2012 Yes v8 (2015) Arch Linux in 2012 Yes 2012 Ubuntu v13.04 (2013) Yes v15.04 (2015) see also: http://en.wikipedia.org/wiki/Systemd#Adoption_and_reception
13 Related Concept • Kernel cgroups (independent of systemd)
14 Kernel Cgroups (Control Groups) • Linux Kernel facility allowing the grouping of processes (and their “children”) into a tree-structure hierarchy • Each group can be assigned a quota for these system resources: ‣ CPU ‣ RAM ‣ Disk I/O ‣ Network I/O Control groups hierarchy created by systemd ├─machine.slice │ └─machine-qemux2dsles1201.scope │ └─20958 /usr/bin/qemu-system-x86_64 -m... ├─user.slice │ ├─user-0.slice │ │ └─user@0.service │ │ ├─4322 /usr/lib/systemd/systemd --us... │ │ └─4323 (sd-pam) │ ├─user-1000.slice │ │ ├─session-560.scope │ │ │ ├─ 2810 /usr/bin/claws-mail │ │ │ ├─ 3035 /usr/lib64/firefox/firefox │ │ │ ├─ 3086 /usr/lib/mozilla/kmozillahel... │ │ │ ├─ 5459 /bin/bash │ │ │ ├─ 7854 /usr/bin/kwalletmanager --kw... │ │ ├─session-1.scope │ │ │ ├─4179 /bin/bash ./bridge start │ │ │ └─4182 dnsmasq --conf-file=mydnsmasq... │ │ └─user@1000.service │ │ ├─1891 /usr/lib/systemd/systemd --us... │ │ └─1892 (sd-pam) │ └─user-489.slice │ └─user@489.service │ ├─1703 /usr/lib/systemd/systemd --us... │ └─1704 (sd-pam) └─system.slice ├─libvirtd.service │ └─4008 /usr/sbin/libvirtd --listen ├─rsyslog.service │ └─985 /usr/sbin/rsyslogd -n ├─apache2.service │ ├─1254 /usr/sbin/httpd2-prefork -f /et... │ └─1840 /usr/sbin/httpd2-prefork -f /et...
15 Bootable containers
16 Bootable OS container [1/4] Bootstrap • Host properties • Install YUM • Bootstrap RPM DB • Install CentOS 7 release package • Install a few package and their dependencies # hostnamectl Static hostname: physnode1.trebut.com Icon name: computer-laptop Chassis: laptop Machine ID: b4ea4eb15ab7c29b6cc20a47544e5eb7 Boot ID: 3c4e7b5067d247939b89d7e7b57c1132 Operating System: openSUSE 13.2 (Harlequin) (x86_64) CPE OS Name: cpe:/o:opensuse:opensuse:13.2 Kernel: Linux 3.16.7-7-desktop Architecture: x86-64 # zypper install yum # rpm --root /srv/containers/centos/ --initdb # rpm --root /srv/containers/centos/ -ihv http://mirror.centos.org/centos/7.1.1503/os/x86_64/Packages/centos- release-7-1.1503.el7.centos.2.8.x86_64.rpm # yum -y --nogpg --releasever=7 --installroot=/srv/containers/centos/ install systemd passwd yum vim-minimal
17 Bootable OS container [2/4] Boot container • Boot container ‣ systemd-nspawn -bD /srv/containers/centos/ # systemd-nspawn -bD /srv/containers/centos/ systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'systemd-nspawn'. Welcome to CentOS Linux 7 (Core)! Set hostname to <centos7c0>. [ OK ] Reached target Remote File Systems. [ OK ] Created slice Root Slice. [ OK ] Created slice User and Session Slice. [ OK ] Created slice System Slice. [ OK ] Created slice system-getty.slice. [ OK ] Reached target Slices. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Journal Socket. Starting Journal Service... [ OK ] Started Journal Service. [ OK ] Reached target Paths. Mounting Debug File System... Mounting FUSE Control File System... Starting Create static device nodes in /dev... Mounting POSIX Message Queue File System... [...] [ OK ] Started Login Service. [ OK ] Started Permit User Sessions. Starting Console Getty... [ OK ] Started Console Getty. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login:
18 Bootable OS container [3/4] Instance properties OS Properties from inside the container CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login: root Password: Last login: Sat Apr 11 23:22:04 on console -bash-4.2# -bash-4.2# hostnamectl Static hostname: centos7c0 Icon name: computer-container Chassis: container Machine ID: afb4a0719ad842c99dd7cc704919a2fe Boot ID: 7c03b147c9114632b96bbeb2a462cf5a Virtualization: systemd-nspawn Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.16.7-7-desktop Architecture: x86_64 -bash-4.2# Container properties # machinectl MACHINE CONTAINER SERVICE centos container nspawn 1 machines listed. physnode1:~ # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-centos.scope │ ├─10159 /usr/lib/systemd/systemd │ └─system.slice │ ├─dbus.service │ │ └─10184 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ ├─systemd-journald.service │ │ └─10167 /usr/lib/systemd/systemd-journald │ ├─systemd-logind.service │ │ └─10183 /usr/lib/systemd/systemd-logind │ └─console-getty.service │ └─10189 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 ├─system.slice
19 Bootable OS container [4/4] Shutdown container • Shutdown container from the inside: ‣ Type: `init 0` or `poweroff` Note: will require running init in container ‣ Type: ^]^]^] ( 3x CTRL+[ ) • Shutdown container from the host ‣ machinectl terminate $CONT -bash-4.2# init 0 [ OK ] Removed slice user-0.slice. [ OK ] Removed slice system-getty.slice. Stopping Hostname Service... [ OK ] Stopped target Graphical Interface. [ OK ] Stopped target Multi-User System. [ OK ] Stopped target Login Prompts. Stopping Console Getty... Stopping Login Service... Stopping D-Bus System Message Bus... [ OK ] Stopped Login Service. [ OK ] Stopped D-Bus System Message Bus. [ OK ] Stopped Console Getty. Stopping Permit User Sessions... [ OK ] Stopped Permit User Sessions. [ OK ] Stopped target Remote File Systems. [ OK ] Stopped Hostname Service. [ OK ] Stopped target Basic System. [ OK ] Stopped target Slices. [ OK ] Removed slice User and Session Slice. [ OK ] Stopped target Paths. [ OK ] Stopped target Timers. [ OK ] Stopped target Sockets. [ OK ] Closed D-Bus System Message Bus Socket. [ OK ] Stopped target System Initialization. [ OK ] Stopped target Encrypted Volumes. Stopping Load/Save Random Seed... Stopping Update UTMP about System Reboot/Shutdown... [ OK ] Stopped target Swap. [ OK ] Stopped Update UTMP about System Reboot/Shutdown. [ OK ] Stopped Load/Save Random Seed. Stopping Create Volatile Files and Directories... [ OK ] Stopped Create Volatile Files and Directories. [ OK ] Reached target Shutdown. physnode1:/srv/containers #
20 Networking and systemd-nspawn containers Networking in container -bash-4.2# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14611sec preferred_lft 14611sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff -bash-4.2# md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf ‣ By default the nspawn container will inherit the network settings ‣ /etc/resolv.conf will be copied into container Networking at Host OS physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14433sec preferred_lft 14433sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff physnode1:~ # md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf
21 More advanced networking ‣ Create a virtual ethernet device, with name “vb-$machinename” ‣ Connect veth device to bridge “virbr0” systemd-nspawn -bD /srv/containers/opensuse132/ --network-bridge=virbr0 --network-veth virbr0 veth (host0) veth (vb-opensuse132c0) opensuse132 physnode1 opensuse132c0:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 2: host0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 36:e3:35:8d:8e:95 brd ff:ff:ff:ff:ff:ff opensuse132c0:~ # physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 29: vb-opensuse132c0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 0a:62:90:a4:b5:72 brd ff:ff:ff:ff:ff:ff physnode1:~ #
22 journald and systemd-nspawn containers • Integrating the journal of the host and the container # systemd-nspawn -bD /srv/containers/centos --link-journal=host
23 Containers as Service
24 Container as service • Install Apache and a few other packages • Create a machine-id for the container • Create systemd unit file #install Apache zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 apache2 timezone iproute2 rsyslog # set up machine-id systemd-nspawn -D /srv/containers/opensuse132/ systemd-machine-id-setup # unit file: cat <<EOF > /etc/systemd/system/opensuse132c0.service [Unit] Description=Start an openSUSE 13.2 container Wants=network.target nss-lookup.target After=network.target nss-lookup.target [Service] Type=notify PrivateTmp=true ExecStart=/usr/bin/systemd-nspawn -M opensuse132c0 -jD /srv/containers/opensuse132/ ExecStop=/usr/bin/machinectl terminate opensuse132c0 [Install] WantedBy=machines.target EOF
25 Managing containers nsenter • nsenter - run program with namespaces of other processes # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. # machinectl status opensuse132c0 opensuse132c0 Since: Sun 2015-04-12 03:54:18 CEST; 37s ago Leader: 17717 (systemd) Service: nspawn; class container Root: /srv/containers/opensuse132 Unit: machine-opensuse132c0.scope ├─17717 /usr/lib/systemd/systemd └─system.slice ├─dbus.service […] # nsenter --target 17717 --mount --uts --ipc --net –pid opensuse132c0:/ # opensuse132c0:/ # systemctl disable rsyslog rm '/etc/systemd/system/multi-user.target.wants/rsyslog.service' rm '/etc/systemd/system/syslog.service' opensuse132c0:/
26 Summary systemd-nspawn • Makes containers easy • Everyone familiar with “chroot” instantly “gets” systemd-nspawn • Does not have special dependencies, like e.g. docker • It is available on all modern Linux distro's
Thank you. 27 Questions?

More Related Content

PDF
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
byCeph Community
 
PDF
Istio : Service Mesh
byKnoldus Inc.
 
PDF
오픈스택 기반 클라우드 서비스 구축 방안 및 사례
bySONG INSEOB
 
PDF
Red Hat OpenStack - Open Cloud Infrastructure
byAlex Baretto
 
PDF
OpenGL ES and Mobile GPU
byJiansong Chen
 
PPTX
SDN ryu 專題安裝
by承樺 董
 
PPT
Aon vs pon 2
byvanliemtb
 
PPTX
OVN - Basics and deep dive
byTrinath Somanchi
 
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
byCeph Community
 
Istio : Service Mesh
byKnoldus Inc.
 
오픈스택 기반 클라우드 서비스 구축 방안 및 사례
bySONG INSEOB
 
Red Hat OpenStack - Open Cloud Infrastructure
byAlex Baretto
 
OpenGL ES and Mobile GPU
byJiansong Chen
 
SDN ryu 專題安裝
by承樺 董
 
Aon vs pon 2
byvanliemtb
 
OVN - Basics and deep dive
byTrinath Somanchi
 

What's hot

PDF
5G Network Architecture and FMC
byITU
 
PPT
Ryu Learning Guide
by呈 李
 
PDF
Service Function Chaining in Openstack Neutron
byMichelle Holley
 
PDF
해외 사례로 보는 Billing for OpenStack Solution
byNalee Jang
 
PDF
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
byAnne Nicolas
 
PDF
Transport Layer Port or TCP/IP & UDP Port
byNetwax Lab
 
PPT
Pattern-Oriented Software Architecture: Patterns for Concurrent and Networked...
byDavid Freitas
 
PDF
Red Hat OpenStack 17 저자직강+스터디그룹_3주차
byNalee Jang
 
PDF
Qemu Introduction
byChiawei Wang
 
PDF
Red Hat OpenStack 17 저자직강+스터디그룹_2주차
byNalee Jang
 
PPTX
Introduction to Haproxy
byShaopeng He
 
PPTX
Training Course_5G RAN3.0 mmWave Beam Management.pptx
bygame__over
 
PDF
LTE and EPC Specifications
byaliirfan04
 
PDF
Tutorial: IPv6-only transition with demo
byAPNIC
 
PDF
Why is Kamailio so different? An introduction.
byOlle E Johansson
 
DOC
Lesson 8 5 indrect measure
bymlabuski
 
PPTX
IBM RedHat OCP Vs xKS.pptx
byssuser666667
 
PDF
Strimzi - Where Apache Kafka meets OpenShift - OpenShift Spain MeetUp
byJosé Román Martín Gil
 
PPTX
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
byJames Denton
 
PPTX
Introduction to NGINX web server
byMd Waresul Islam
 
5G Network Architecture and FMC
byITU
 
Ryu Learning Guide
by呈 李
 
Service Function Chaining in Openstack Neutron
byMichelle Holley
 
해외 사례로 보는 Billing for OpenStack Solution
byNalee Jang
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
byAnne Nicolas
 
Transport Layer Port or TCP/IP & UDP Port
byNetwax Lab
 
Pattern-Oriented Software Architecture: Patterns for Concurrent and Networked...
byDavid Freitas
 
Red Hat OpenStack 17 저자직강+스터디그룹_3주차
byNalee Jang
 
Qemu Introduction
byChiawei Wang
 
Red Hat OpenStack 17 저자직강+스터디그룹_2주차
byNalee Jang
 
Introduction to Haproxy
byShaopeng He
 
Training Course_5G RAN3.0 mmWave Beam Management.pptx
bygame__over
 
LTE and EPC Specifications
byaliirfan04
 
Tutorial: IPv6-only transition with demo
byAPNIC
 
Why is Kamailio so different? An introduction.
byOlle E Johansson
 
Lesson 8 5 indrect measure
bymlabuski
 
IBM RedHat OCP Vs xKS.pptx
byssuser666667
 
Strimzi - Where Apache Kafka meets OpenShift - OpenShift Spain MeetUp
byJosé Román Martín Gil
 
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
byJames Denton
 
Introduction to NGINX web server
byMd Waresul Islam
 

Similar to Containers with systemd-nspawn

PDF
Atmosphere 2016 - Lennart poettering - systemd and Containers
byPROIDEA
 
PDF
Linux Containers From Scratch
byjoshuasoundcloud
 
PDF
Linux Du Jour
bymwedgwood
 
PDF
Summit demystifying systemd1
bySusant Sahani
 
PDF
LISA15: systemd, the Next-Generation Linux System Manager
byAlison Chaiken
 
PDF
Systemd: the modern Linux init system you will learn to love
byAlison Chaiken
 
PPTX
RHSA_1_Chapter_Resume_CONTRILE_SERVCIES.pptx
byAbdellahELMAMOUN
 
PDF
systemd
bySusant Sahani
 
ODP
CLUG 2010 09 - systemd - the new init system
byPaulWay
 
PDF
App container rkt
byXiaofeng Guo
 
PDF
Effective service and resource management with systemd
byDavid Timothy Strauss
 
PDF
Automotive Grade Linux and systemd
byAlison Chaiken
 
PPTX
CoreOS Intro
byIsaac Johnston
 
PDF
systemd
bynussbauml
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
PDF
SHARE.ORG Orlando 2015
byFilipe Miranda
 
PDF
A "Box" Full of Tools and Distros
byDario Faggioli
 
PDF
Basic of Systemd
byPraveen Kumar
 
ODP
Deploying systemd at scale
byDavide Cavalca
 
PDF
Systemd for developers
byAlison Chaiken
 
Atmosphere 2016 - Lennart poettering - systemd and Containers
byPROIDEA
 
Linux Containers From Scratch
byjoshuasoundcloud
 
Linux Du Jour
bymwedgwood
 
Summit demystifying systemd1
bySusant Sahani
 
LISA15: systemd, the Next-Generation Linux System Manager
byAlison Chaiken
 
Systemd: the modern Linux init system you will learn to love
byAlison Chaiken
 
RHSA_1_Chapter_Resume_CONTRILE_SERVCIES.pptx
byAbdellahELMAMOUN
 
systemd
bySusant Sahani
 
CLUG 2010 09 - systemd - the new init system
byPaulWay
 
App container rkt
byXiaofeng Guo
 
Effective service and resource management with systemd
byDavid Timothy Strauss
 
Automotive Grade Linux and systemd
byAlison Chaiken
 
CoreOS Intro
byIsaac Johnston
 
systemd
bynussbauml
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
SHARE.ORG Orlando 2015
byFilipe Miranda
 
A "Box" Full of Tools and Distros
byDario Faggioli
 
Basic of Systemd
byPraveen Kumar
 
Deploying systemd at scale
byDavide Cavalca
 
Systemd for developers
byAlison Chaiken
 

Recently uploaded

PPTX
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
PPTX
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
PPTX
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
PPTX
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
PDF
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
PPTX
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
PPTX
AI Agent Overview - Why we need AI Agent
byAlokGope
 
PPTX
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
PDF
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
PPTX
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PPTX
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
PDF
One Agent to Rule Them All - The Fellowship of AI Agents
byIvo Andreev
 
PDF
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
PDF
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
PDF
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
AI Agent Overview - Why we need AI Agent
byAlokGope
 
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
One Agent to Rule Them All - The Fellowship of AI Agents
byIvo Andreev
 
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 

Containers with systemd-nspawn

  • 1.
    Containers with systemd-nspawn Gábor Nyers Consultant& Trainer @Trebut gnyers@trebut.com @gabornyers
  • 2.
    Agenda ● An examplesystemd-nspawn container ● What is systemd-nspawn and systemd ● Related Concept: Kernel CGroups ● Bootable containters ● Containers as Service ● Advanced topic: Socket Activation
  • 3.
  • 4.
    4 A Simple ApplicationContainer • Start up container • List of processes • Try to install package ‣ Limited footprint and exposure! • On host OS: list kernel control groups: # systemd-nspawn -jD /srv/containers/opensuse132/ -M opensuse132c0 /bin/bash # opensuse132c0:~ # ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 04:16 ? 00:00:00 -bash root 43 1 0 04:18 ? 00:00:00 ps -ef # opensuse132c0:~ # zypper install wget -bash: zypper: command not found # # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. physnode1:~ # # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-opensuse132c0.scope │ └─18329 -bash […] # ps -ef -o pid,ppid,machine,cmd
  • 5.
    5 Create application container •Bootstrap directory • Install a few packages # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/oss/ repo-oss # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/non-oss/ repo-non-oss # zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 install bash procps coreutils vim
  • 6.
    6 systemd-nspawn • Whatis systemd? • What is systemd-nspawn? • Adoption
  • 7.
    7 What is systemd?1/3 • a system- and session manager for Linux, • provides aggressive parallelization capabilities, (no shell during boot!) • uses socket and D-Bus activation for starting services, • offers on-demand starting of services, • keeps track of processes using Linux cgroups,
  • 8.
    8 What is systemd?2/3 • supports restoring the system's state to a predefined state, • maintains mount and auto-mount points, • provides dependency based service control logic, • provides replacement for a nr. of well-known tools, e.g.: udev, automount, inetd, consolekit and syslog, • a drop-in replacement for sysvinit
  • 9.
    9 What is systemd?3/3 There is a lot of criticism and opinions as well... • “It's not the UNIX way” referring to the “do one thing and do it well” maxim • “It's monolithic” • “It introduces too many dependencies” • (and worse) ... but we won't be addressing these today :-)
  • 10.
    10 An aside: Peopleand Innovation... “If I had asked people what they wanted, they would have said faster horses” Henry Ford
  • 11.
    11 What is systemd-nspawn? •“chroot on steroids...” • Invented for debug and test of systemd development • Turns out to be a great container manager • systemd-nspawn vs. docker ‣ Management container vs. container+images ‣ Inherited networking vs. Need to set up networking
  • 12.
    12 systemd adoption Distribution Addedto repositories Enabled by default? Released as default SUSE Linux Enterprise v12 Yes Yes openSUSE v11.4 Yes v12.2 (2012) Fedora v15 (2011) Yes v15 (2011) Red Hat Linux Enterprise v7 (2014) Yes v7 (2014) Debian in 2012 Yes v8 (2015) Arch Linux in 2012 Yes 2012 Ubuntu v13.04 (2013) Yes v15.04 (2015) see also: http://en.wikipedia.org/wiki/Systemd#Adoption_and_reception
  • 13.
    13 Related Concept •Kernel cgroups (independent of systemd)
  • 14.
    14 Kernel Cgroups (ControlGroups) • Linux Kernel facility allowing the grouping of processes (and their “children”) into a tree-structure hierarchy • Each group can be assigned a quota for these system resources: ‣ CPU ‣ RAM ‣ Disk I/O ‣ Network I/O Control groups hierarchy created by systemd ├─machine.slice │ └─machine-qemux2dsles1201.scope │ └─20958 /usr/bin/qemu-system-x86_64 -m... ├─user.slice │ ├─user-0.slice │ │ └─user@0.service │ │ ├─4322 /usr/lib/systemd/systemd --us... │ │ └─4323 (sd-pam) │ ├─user-1000.slice │ │ ├─session-560.scope │ │ │ ├─ 2810 /usr/bin/claws-mail │ │ │ ├─ 3035 /usr/lib64/firefox/firefox │ │ │ ├─ 3086 /usr/lib/mozilla/kmozillahel... │ │ │ ├─ 5459 /bin/bash │ │ │ ├─ 7854 /usr/bin/kwalletmanager --kw... │ │ ├─session-1.scope │ │ │ ├─4179 /bin/bash ./bridge start │ │ │ └─4182 dnsmasq --conf-file=mydnsmasq... │ │ └─user@1000.service │ │ ├─1891 /usr/lib/systemd/systemd --us... │ │ └─1892 (sd-pam) │ └─user-489.slice │ └─user@489.service │ ├─1703 /usr/lib/systemd/systemd --us... │ └─1704 (sd-pam) └─system.slice ├─libvirtd.service │ └─4008 /usr/sbin/libvirtd --listen ├─rsyslog.service │ └─985 /usr/sbin/rsyslogd -n ├─apache2.service │ ├─1254 /usr/sbin/httpd2-prefork -f /et... │ └─1840 /usr/sbin/httpd2-prefork -f /et...
  • 15.
  • 16.
    16 Bootable OS container[1/4] Bootstrap • Host properties • Install YUM • Bootstrap RPM DB • Install CentOS 7 release package • Install a few package and their dependencies # hostnamectl Static hostname: physnode1.trebut.com Icon name: computer-laptop Chassis: laptop Machine ID: b4ea4eb15ab7c29b6cc20a47544e5eb7 Boot ID: 3c4e7b5067d247939b89d7e7b57c1132 Operating System: openSUSE 13.2 (Harlequin) (x86_64) CPE OS Name: cpe:/o:opensuse:opensuse:13.2 Kernel: Linux 3.16.7-7-desktop Architecture: x86-64 # zypper install yum # rpm --root /srv/containers/centos/ --initdb # rpm --root /srv/containers/centos/ -ihv http://mirror.centos.org/centos/7.1.1503/os/x86_64/Packages/centos- release-7-1.1503.el7.centos.2.8.x86_64.rpm # yum -y --nogpg --releasever=7 --installroot=/srv/containers/centos/ install systemd passwd yum vim-minimal
  • 17.
    17 Bootable OS container[2/4] Boot container • Boot container ‣ systemd-nspawn -bD /srv/containers/centos/ # systemd-nspawn -bD /srv/containers/centos/ systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'systemd-nspawn'. Welcome to CentOS Linux 7 (Core)! Set hostname to <centos7c0>. [ OK ] Reached target Remote File Systems. [ OK ] Created slice Root Slice. [ OK ] Created slice User and Session Slice. [ OK ] Created slice System Slice. [ OK ] Created slice system-getty.slice. [ OK ] Reached target Slices. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Journal Socket. Starting Journal Service... [ OK ] Started Journal Service. [ OK ] Reached target Paths. Mounting Debug File System... Mounting FUSE Control File System... Starting Create static device nodes in /dev... Mounting POSIX Message Queue File System... [...] [ OK ] Started Login Service. [ OK ] Started Permit User Sessions. Starting Console Getty... [ OK ] Started Console Getty. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login:
  • 18.
    18 Bootable OS container[3/4] Instance properties OS Properties from inside the container CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login: root Password: Last login: Sat Apr 11 23:22:04 on console -bash-4.2# -bash-4.2# hostnamectl Static hostname: centos7c0 Icon name: computer-container Chassis: container Machine ID: afb4a0719ad842c99dd7cc704919a2fe Boot ID: 7c03b147c9114632b96bbeb2a462cf5a Virtualization: systemd-nspawn Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.16.7-7-desktop Architecture: x86_64 -bash-4.2# Container properties # machinectl MACHINE CONTAINER SERVICE centos container nspawn 1 machines listed. physnode1:~ # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-centos.scope │ ├─10159 /usr/lib/systemd/systemd │ └─system.slice │ ├─dbus.service │ │ └─10184 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ ├─systemd-journald.service │ │ └─10167 /usr/lib/systemd/systemd-journald │ ├─systemd-logind.service │ │ └─10183 /usr/lib/systemd/systemd-logind │ └─console-getty.service │ └─10189 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 ├─system.slice
  • 19.
    19 Bootable OS container[4/4] Shutdown container • Shutdown container from the inside: ‣ Type: `init 0` or `poweroff` Note: will require running init in container ‣ Type: ^]^]^] ( 3x CTRL+[ ) • Shutdown container from the host ‣ machinectl terminate $CONT -bash-4.2# init 0 [ OK ] Removed slice user-0.slice. [ OK ] Removed slice system-getty.slice. Stopping Hostname Service... [ OK ] Stopped target Graphical Interface. [ OK ] Stopped target Multi-User System. [ OK ] Stopped target Login Prompts. Stopping Console Getty... Stopping Login Service... Stopping D-Bus System Message Bus... [ OK ] Stopped Login Service. [ OK ] Stopped D-Bus System Message Bus. [ OK ] Stopped Console Getty. Stopping Permit User Sessions... [ OK ] Stopped Permit User Sessions. [ OK ] Stopped target Remote File Systems. [ OK ] Stopped Hostname Service. [ OK ] Stopped target Basic System. [ OK ] Stopped target Slices. [ OK ] Removed slice User and Session Slice. [ OK ] Stopped target Paths. [ OK ] Stopped target Timers. [ OK ] Stopped target Sockets. [ OK ] Closed D-Bus System Message Bus Socket. [ OK ] Stopped target System Initialization. [ OK ] Stopped target Encrypted Volumes. Stopping Load/Save Random Seed... Stopping Update UTMP about System Reboot/Shutdown... [ OK ] Stopped target Swap. [ OK ] Stopped Update UTMP about System Reboot/Shutdown. [ OK ] Stopped Load/Save Random Seed. Stopping Create Volatile Files and Directories... [ OK ] Stopped Create Volatile Files and Directories. [ OK ] Reached target Shutdown. physnode1:/srv/containers #
  • 20.
    20 Networking and systemd-nspawncontainers Networking in container -bash-4.2# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14611sec preferred_lft 14611sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff -bash-4.2# md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf ‣ By default the nspawn container will inherit the network settings ‣ /etc/resolv.conf will be copied into container Networking at Host OS physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14433sec preferred_lft 14433sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff physnode1:~ # md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf
  • 21.
    21 More advanced networking ‣Create a virtual ethernet device, with name “vb-$machinename” ‣ Connect veth device to bridge “virbr0” systemd-nspawn -bD /srv/containers/opensuse132/ --network-bridge=virbr0 --network-veth virbr0 veth (host0) veth (vb-opensuse132c0) opensuse132 physnode1 opensuse132c0:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 2: host0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 36:e3:35:8d:8e:95 brd ff:ff:ff:ff:ff:ff opensuse132c0:~ # physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 29: vb-opensuse132c0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 0a:62:90:a4:b5:72 brd ff:ff:ff:ff:ff:ff physnode1:~ #
  • 22.
    22 journald and systemd-nspawncontainers • Integrating the journal of the host and the container # systemd-nspawn -bD /srv/containers/centos --link-journal=host
  • 23.
  • 24.
    24 Container as service •Install Apache and a few other packages • Create a machine-id for the container • Create systemd unit file #install Apache zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 apache2 timezone iproute2 rsyslog # set up machine-id systemd-nspawn -D /srv/containers/opensuse132/ systemd-machine-id-setup # unit file: cat <<EOF > /etc/systemd/system/opensuse132c0.service [Unit] Description=Start an openSUSE 13.2 container Wants=network.target nss-lookup.target After=network.target nss-lookup.target [Service] Type=notify PrivateTmp=true ExecStart=/usr/bin/systemd-nspawn -M opensuse132c0 -jD /srv/containers/opensuse132/ ExecStop=/usr/bin/machinectl terminate opensuse132c0 [Install] WantedBy=machines.target EOF
  • 25.
    25 Managing containers nsenter • nsenter- run program with namespaces of other processes # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. # machinectl status opensuse132c0 opensuse132c0 Since: Sun 2015-04-12 03:54:18 CEST; 37s ago Leader: 17717 (systemd) Service: nspawn; class container Root: /srv/containers/opensuse132 Unit: machine-opensuse132c0.scope ├─17717 /usr/lib/systemd/systemd └─system.slice ├─dbus.service […] # nsenter --target 17717 --mount --uts --ipc --net –pid opensuse132c0:/ # opensuse132c0:/ # systemctl disable rsyslog rm '/etc/systemd/system/multi-user.target.wants/rsyslog.service' rm '/etc/systemd/system/syslog.service' opensuse132c0:/
  • 26.
    26 Summary systemd-nspawn • Makes containerseasy • Everyone familiar with “chroot” instantly “gets” systemd-nspawn • Does not have special dependencies, like e.g. docker • It is available on all modern Linux distro's
  • 27.