1 |
On 02/04/2019 11:55 AM, Rich Freeman wrote: |
2 |
> IMO I would separate your container logic from your service manager logic. |
3 |
|
4 |
I'm not exactly sure what you mean by "container logic" vs "service |
5 |
manager logic" and how they differ. I'm assuming that the former |
6 |
creates / destroys the container and that the latter manages |
7 |
(re)starting/stopping services where ever they are at. |
8 |
|
9 |
> If you have a script that launches a container, then all you need is a |
10 |
> generic init.d script that runs it. |
11 |
|
12 |
I guess that's one way to do it. But that doesn't seem very Gentoo<ish> |
13 |
to me. |
14 |
|
15 |
I'd like to see a way that I can have standard service init scripts and |
16 |
use them where ever I want them, either inside a container or outside on |
17 |
the host. |
18 |
|
19 |
As long as I don't want to run the same service in multiple places, I |
20 |
don't see a problem with doing that. Multiple instances starts to get |
21 |
more tricky, but is still possible, and should be location agnostic. |
22 |
|
23 |
> I launch nspawn containers from systemd units all the time. The only |
24 |
> logic in the units is running the command line to start nspawn. |
25 |
> |
26 |
> IMO if you start mixing the two it will just make it harder to maintain. |
27 |
> Sure, an init.d script CAN do anything, but that doesn't mean that you |
28 |
> should do it this way. |
29 |
|
30 |
I'm wanting to avoid having an init script that creates the container |
31 |
and starts services therein. I'd rather start the container and then |
32 |
start the services therein using the same type of init scripts, just |
33 |
called within different contexts. |
34 |
|
35 |
> Without creating a separate reply I wanted to react to your other email |
36 |
> detailing your config. It strikes me that you might not even need |
37 |
> containers to set up all those interfaces and the routing between them. |
38 |
> However, the container probably still makes sense so that random processes |
39 |
> trying to listen on 0.0.0.0 on the host don't end up attaching to all |
40 |
> those virtual interfaces. |
41 |
|
42 |
Yes, I could have all the interfaces on the host. But I'm doing a |
43 |
number of different things and don't want to spoil the host. |
44 |
|
45 |
The nice containers that I mentioned are long standing containers. I |
46 |
routinely stand up 10 ~ 100 more for various tests. |
47 |
|
48 |
I'm also using network namespaces as an isolation so that I can easily |
49 |
do various things with networking without the added complexity of |
50 |
isolating things from each other via command line or policy based |
51 |
routing. Each network namespace can easily have it's view of 0.0.0.0 |
52 |
(as a good example) and it's own routing table. I don't need to bother |
53 |
with PBR / ip rules / iptables complexities. Each NetNS just knows |
54 |
about it's local interfaces. |
55 |
|
56 |
> Really all you need is some initialization inside each container and |
57 |
> then the kernel is doing all the work. You don't really need any |
58 |
> userspace process running in the container except for the fact that |
59 |
> kernel namespaces are attached to processes. |
60 |
|
61 |
I mostly agree. I am running BIRD inside the container, but that's more |
62 |
of a would be nice to have and I can work around not having it. There |
63 |
are also the occasional commands that I want to run to do |
64 |
troubleshooting (ping, traceroute, etc) as well as dynamically modifying |
65 |
the containers which is usually done via "nsenter …" or "ip netns exec |
66 |
$NetNSname …" commands. |
67 |
|
68 |
> As a result, I'd suggest considering using sysvinit inside your |
69 |
> containers to do the work. |
70 |
|
71 |
That is a possibility. But I feel like that's tantamount to saying |
72 |
"Gentoo doesn't have an answer for what you're wanting to do, so just |
73 |
use Sys V init scripts." I don't like it. |
74 |
|
75 |
I like the idea of re-using standard OpenRC / NetifRC scripts inside the |
76 |
containers too. Especially if the services don't conflict anywhere. To |
77 |
me, this re-uses the existing Gentoo methodology in different contexts. |
78 |
|
79 |
> You might run openrc/netifrc to do the network setup inside each |
80 |
> container, or just have sysvinit run a shell script that initializes |
81 |
> and then terminates, leaving init running childless indefinitely (I |
82 |
> assume it supports this). If you want a process to noop indefinitely |
83 |
> at minimal cost that is basically the definition of what sysvinit does... |
84 |
|
85 |
The more that I think about it, largely in response to emails in this |
86 |
thread, I believe that I want the same overall thing to create the |
87 |
network between the default / main / unnamed NetNS and the container, as |
88 |
well as likely re-using the OpenRC / NetifRC scripts to configure things |
89 |
inside the container. |
90 |
|
91 |
I think, and would be curious to have someone confirm or refute, that I |
92 |
could add configuration information to /etc/conf.d/net for the xyz123 |
93 |
interface inside the container and use an /etc/init.d/net.xyz123 init |
94 |
script sym-linked to /etc/init.d/net.lo script. |
95 |
|
96 |
My host would not have net.xyz123 in any runlevel. Certainly not boot |
97 |
or default. |
98 |
|
99 |
I think that would mean that I could run rc-service net.xyz123 start |
100 |
inside the container and re-use existing Gentoo methodology. |
101 |
|
102 |
Now I wonder if I could use custom runlevels for each container and rely |
103 |
on standard init system. }:-) But that's a different question. |
104 |
|
105 |
|
106 |
|
107 |
-- |
108 |
Grant. . . . |
109 |
unix || die |