| 1 |
On 02/04/2019 11:55 AM, Rich Freeman wrote: |
| 2 |
> IMO I would separate your container logic from your service manager logic. |
| 3 |
|
| 4 |
I'm not exactly sure what you mean by "container logic" vs "service |
| 5 |
manager logic" and how they differ. I'm assuming that the former |
| 6 |
creates / destroys the container and that the latter manages |
| 7 |
(re)starting/stopping services where ever they are at. |
| 8 |
|
| 9 |
> If you have a script that launches a container, then all you need is a |
| 10 |
> generic init.d script that runs it. |
| 11 |
|
| 12 |
I guess that's one way to do it. But that doesn't seem very Gentoo<ish> |
| 13 |
to me. |
| 14 |
|
| 15 |
I'd like to see a way that I can have standard service init scripts and |
| 16 |
use them where ever I want them, either inside a container or outside on |
| 17 |
the host. |
| 18 |
|
| 19 |
As long as I don't want to run the same service in multiple places, I |
| 20 |
don't see a problem with doing that. Multiple instances starts to get |
| 21 |
more tricky, but is still possible, and should be location agnostic. |
| 22 |
|
| 23 |
> I launch nspawn containers from systemd units all the time. The only |
| 24 |
> logic in the units is running the command line to start nspawn. |
| 25 |
> |
| 26 |
> IMO if you start mixing the two it will just make it harder to maintain. |
| 27 |
> Sure, an init.d script CAN do anything, but that doesn't mean that you |
| 28 |
> should do it this way. |
| 29 |
|
| 30 |
I'm wanting to avoid having an init script that creates the container |
| 31 |
and starts services therein. I'd rather start the container and then |
| 32 |
start the services therein using the same type of init scripts, just |
| 33 |
called within different contexts. |
| 34 |
|
| 35 |
> Without creating a separate reply I wanted to react to your other email |
| 36 |
> detailing your config. It strikes me that you might not even need |
| 37 |
> containers to set up all those interfaces and the routing between them. |
| 38 |
> However, the container probably still makes sense so that random processes |
| 39 |
> trying to listen on 0.0.0.0 on the host don't end up attaching to all |
| 40 |
> those virtual interfaces. |
| 41 |
|
| 42 |
Yes, I could have all the interfaces on the host. But I'm doing a |
| 43 |
number of different things and don't want to spoil the host. |
| 44 |
|
| 45 |
The nice containers that I mentioned are long standing containers. I |
| 46 |
routinely stand up 10 ~ 100 more for various tests. |
| 47 |
|
| 48 |
I'm also using network namespaces as an isolation so that I can easily |
| 49 |
do various things with networking without the added complexity of |
| 50 |
isolating things from each other via command line or policy based |
| 51 |
routing. Each network namespace can easily have it's view of 0.0.0.0 |
| 52 |
(as a good example) and it's own routing table. I don't need to bother |
| 53 |
with PBR / ip rules / iptables complexities. Each NetNS just knows |
| 54 |
about it's local interfaces. |
| 55 |
|
| 56 |
> Really all you need is some initialization inside each container and |
| 57 |
> then the kernel is doing all the work. You don't really need any |
| 58 |
> userspace process running in the container except for the fact that |
| 59 |
> kernel namespaces are attached to processes. |
| 60 |
|
| 61 |
I mostly agree. I am running BIRD inside the container, but that's more |
| 62 |
of a would be nice to have and I can work around not having it. There |
| 63 |
are also the occasional commands that I want to run to do |
| 64 |
troubleshooting (ping, traceroute, etc) as well as dynamically modifying |
| 65 |
the containers which is usually done via "nsenter …" or "ip netns exec |
| 66 |
$NetNSname …" commands. |
| 67 |
|
| 68 |
> As a result, I'd suggest considering using sysvinit inside your |
| 69 |
> containers to do the work. |
| 70 |
|
| 71 |
That is a possibility. But I feel like that's tantamount to saying |
| 72 |
"Gentoo doesn't have an answer for what you're wanting to do, so just |
| 73 |
use Sys V init scripts." I don't like it. |
| 74 |
|
| 75 |
I like the idea of re-using standard OpenRC / NetifRC scripts inside the |
| 76 |
containers too. Especially if the services don't conflict anywhere. To |
| 77 |
me, this re-uses the existing Gentoo methodology in different contexts. |
| 78 |
|
| 79 |
> You might run openrc/netifrc to do the network setup inside each |
| 80 |
> container, or just have sysvinit run a shell script that initializes |
| 81 |
> and then terminates, leaving init running childless indefinitely (I |
| 82 |
> assume it supports this). If you want a process to noop indefinitely |
| 83 |
> at minimal cost that is basically the definition of what sysvinit does... |
| 84 |
|
| 85 |
The more that I think about it, largely in response to emails in this |
| 86 |
thread, I believe that I want the same overall thing to create the |
| 87 |
network between the default / main / unnamed NetNS and the container, as |
| 88 |
well as likely re-using the OpenRC / NetifRC scripts to configure things |
| 89 |
inside the container. |
| 90 |
|
| 91 |
I think, and would be curious to have someone confirm or refute, that I |
| 92 |
could add configuration information to /etc/conf.d/net for the xyz123 |
| 93 |
interface inside the container and use an /etc/init.d/net.xyz123 init |
| 94 |
script sym-linked to /etc/init.d/net.lo script. |
| 95 |
|
| 96 |
My host would not have net.xyz123 in any runlevel. Certainly not boot |
| 97 |
or default. |
| 98 |
|
| 99 |
I think that would mean that I could run rc-service net.xyz123 start |
| 100 |
inside the container and re-use existing Gentoo methodology. |
| 101 |
|
| 102 |
Now I wonder if I could use custom runlevels for each container and rely |
| 103 |
on standard init system. }:-) But that's a different question. |
| 104 |
|
| 105 |
|
| 106 |
|
| 107 |
-- |
| 108 |
Grant. . . . |
| 109 |
unix || die |
Archives