| 1 |
On Sat, Feb 2, 2019 at 11:52 PM Grant Taylor |
| 2 |
<gtaylor@×××××××××××××××××××××.net> wrote: |
| 3 |
> |
| 4 |
> On 2/2/19 9:39 PM, Michael Jones wrote: |
| 5 |
> > systemd-nspawn is also an option, but I don't think that'll work with |
| 6 |
> > OpenRC. |
| 7 |
> |
| 8 |
> Ya.... I moved (back to) Gentoo to get away from systemd. I'm not |
| 9 |
> going to voluntarily opt to use it, or any of it's children. That's |
| 10 |
> /my/ opinion. I know others opinions differ. |
| 11 |
> |
| 12 |
|
| 13 |
Nothing wrong with that approach. I use systemd-nspawn to run a bunch |
| 14 |
of containers, hosted in Gentoo, and many of which run Gentoo. |
| 15 |
However, these all run systemd and I don't believe you can run nspawn |
| 16 |
without a systemd host (the guest/container can be anything). These |
| 17 |
are containers running full distros with systemd in my case, not just |
| 18 |
single-process containers, in my case. However, nspawn does support |
| 19 |
single-process containers, and that includes with veth, but nspawn |
| 20 |
WON'T initialize networking in those containers (ie DHCP/etc), leaving |
| 21 |
this up to the guest (it does provide a config file for |
| 22 |
systemd-networkd inside the guest if it is in use to autoconfigure |
| 23 |
DHCP). |
| 24 |
|
| 25 |
I'm not exactly certain what you're trying to accomplish, but |
| 26 |
namespaces are just a kernel system call when it comes down to it (two |
| 27 |
of them I think offhand). Two util-linux programs provide direct |
| 28 |
access to them for shell scripts: unshare and nsenter. If you're just |
| 29 |
trying to run a process in a separate namespace so that it can use |
| 30 |
veth/etc then you could probably initialize that in a script run from |
| 31 |
unshare. If you don't need more isolation you could run it right from |
| 32 |
the host filesystem without a separate mount or process namespace. Or |
| 33 |
you could create a new mount namespace but only modify specific parts |
| 34 |
of it like /var/lib or whatever. |
| 35 |
|
| 36 |
People generally equate containers with docker but as you seem to get |
| 37 |
you can do a lot with namespaces without basically running completely |
| 38 |
independent distros. Now, I will point out that there are good |
| 39 |
reasons for keeping things separate - they may or may not apply to |
| 40 |
your application. If you just want to run a single daemon on 14 |
| 41 |
different IPs and have each of those daemons see the same filesystem |
| 42 |
minus /var/lib and /etc that is something you could certainly do with |
| 43 |
namespaces and the only resource cost would be the storage of the |
| 44 |
extra /var/lib and /etc directories (they could even use the same |
| 45 |
shared libraries in RAM, and indeed the same process image itself I |
| 46 |
think). |
| 47 |
|
| 48 |
The only gotcha is that I'm not sure how much of it is already done, |
| 49 |
so you may have to roll your own. If you find generic solutions for |
| 50 |
running services in partially-isolated namespaces with network |
| 51 |
initialization taken care of for you I'd be very interested in hearing |
| 52 |
about it. |
| 53 |
|
| 54 |
-- |
| 55 |
Rich |
Archives