SlideShare ist ein Scribd-Unternehmen logo

Containers with systemd-nspawn

Gábor Nyers
Gábor Nyers

While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies. This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.

Software
1 von 27
Downloaden Sie, um offline zu lesen
Containers with systemd-nspawn Gábor Nyers Consultant & Trainer @Trebut gnyers@trebut.com @gabornyers
Agenda ● An example systemd-nspawn container ● What is systemd-nspawn and systemd ● Related Concept: Kernel CGroups ● Bootable containters ● Containers as Service ● Advanced topic: Socket Activation
3 An example systemd-nspawn container
4 A Simple Application Container • Start up container • List of processes • Try to install package ‣ Limited footprint and exposure! • On host OS: list kernel control groups: # systemd-nspawn -jD /srv/containers/opensuse132/ -M opensuse132c0 /bin/bash # opensuse132c0:~ # ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 04:16 ? 00:00:00 -bash root 43 1 0 04:18 ? 00:00:00 ps -ef # opensuse132c0:~ # zypper install wget -bash: zypper: command not found # # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. physnode1:~ # # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-opensuse132c0.scope │ └─18329 -bash […] # ps -ef -o pid,ppid,machine,cmd
5 Create application container • Bootstrap directory • Install a few packages # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/oss/ repo-oss # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/non-oss/ repo-non-oss # zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 install bash procps coreutils vim
6 systemd-nspawn • What is systemd? • What is systemd-nspawn? • Adoption
7 What is systemd? 1/3 • a system- and session manager for Linux, • provides aggressive parallelization capabilities, (no shell during boot!) • uses socket and D-Bus activation for starting services, • offers on-demand starting of services, • keeps track of processes using Linux cgroups,
8 What is systemd? 2/3 • supports restoring the system's state to a predefined state, • maintains mount and auto-mount points, • provides dependency based service control logic, • provides replacement for a nr. of well-known tools, e.g.: udev, automount, inetd, consolekit and syslog, • a drop-in replacement for sysvinit
9 What is systemd? 3/3 There is a lot of criticism and opinions as well... • “It's not the UNIX way” referring to the “do one thing and do it well” maxim • “It's monolithic” • “It introduces too many dependencies” • (and worse) ... but we won't be addressing these today :-)
10 An aside: People and Innovation... “If I had asked people what they wanted, they would have said faster horses” Henry Ford
11 What is systemd-nspawn? • “chroot on steroids...” • Invented for debug and test of systemd development • Turns out to be a great container manager • systemd-nspawn vs. docker ‣ Management container vs. container+images ‣ Inherited networking vs. Need to set up networking
12 systemd adoption Distribution Added to repositories Enabled by default? Released as default SUSE Linux Enterprise v12 Yes Yes openSUSE v11.4 Yes v12.2 (2012) Fedora v15 (2011) Yes v15 (2011) Red Hat Linux Enterprise v7 (2014) Yes v7 (2014) Debian in 2012 Yes v8 (2015) Arch Linux in 2012 Yes 2012 Ubuntu v13.04 (2013) Yes v15.04 (2015) see also: http://en.wikipedia.org/wiki/Systemd#Adoption_and_reception
13 Related Concept • Kernel cgroups (independent of systemd)
14 Kernel Cgroups (Control Groups) • Linux Kernel facility allowing the grouping of processes (and their “children”) into a tree-structure hierarchy • Each group can be assigned a quota for these system resources: ‣ CPU ‣ RAM ‣ Disk I/O ‣ Network I/O Control groups hierarchy created by systemd ├─machine.slice │ └─machine-qemux2dsles1201.scope │ └─20958 /usr/bin/qemu-system-x86_64 -m... ├─user.slice │ ├─user-0.slice │ │ └─user@0.service │ │ ├─4322 /usr/lib/systemd/systemd --us... │ │ └─4323 (sd-pam) │ ├─user-1000.slice │ │ ├─session-560.scope │ │ │ ├─ 2810 /usr/bin/claws-mail │ │ │ ├─ 3035 /usr/lib64/firefox/firefox │ │ │ ├─ 3086 /usr/lib/mozilla/kmozillahel... │ │ │ ├─ 5459 /bin/bash │ │ │ ├─ 7854 /usr/bin/kwalletmanager --kw... │ │ ├─session-1.scope │ │ │ ├─4179 /bin/bash ./bridge start │ │ │ └─4182 dnsmasq --conf-file=mydnsmasq... │ │ └─user@1000.service │ │ ├─1891 /usr/lib/systemd/systemd --us... │ │ └─1892 (sd-pam) │ └─user-489.slice │ └─user@489.service │ ├─1703 /usr/lib/systemd/systemd --us... │ └─1704 (sd-pam) └─system.slice ├─libvirtd.service │ └─4008 /usr/sbin/libvirtd --listen ├─rsyslog.service │ └─985 /usr/sbin/rsyslogd -n ├─apache2.service │ ├─1254 /usr/sbin/httpd2-prefork -f /et... │ └─1840 /usr/sbin/httpd2-prefork -f /et...
15 Bootable containers
16 Bootable OS container [1/4] Bootstrap • Host properties • Install YUM • Bootstrap RPM DB • Install CentOS 7 release package • Install a few package and their dependencies # hostnamectl Static hostname: physnode1.trebut.com Icon name: computer-laptop Chassis: laptop Machine ID: b4ea4eb15ab7c29b6cc20a47544e5eb7 Boot ID: 3c4e7b5067d247939b89d7e7b57c1132 Operating System: openSUSE 13.2 (Harlequin) (x86_64) CPE OS Name: cpe:/o:opensuse:opensuse:13.2 Kernel: Linux 3.16.7-7-desktop Architecture: x86-64 # zypper install yum # rpm --root /srv/containers/centos/ --initdb # rpm --root /srv/containers/centos/ -ihv http://mirror.centos.org/centos/7.1.1503/os/x86_64/Packages/centos- release-7-1.1503.el7.centos.2.8.x86_64.rpm # yum -y --nogpg --releasever=7 --installroot=/srv/containers/centos/ install systemd passwd yum vim-minimal
17 Bootable OS container [2/4] Boot container • Boot container ‣ systemd-nspawn -bD /srv/containers/centos/ # systemd-nspawn -bD /srv/containers/centos/ systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'systemd-nspawn'. Welcome to CentOS Linux 7 (Core)! Set hostname to <centos7c0>. [ OK ] Reached target Remote File Systems. [ OK ] Created slice Root Slice. [ OK ] Created slice User and Session Slice. [ OK ] Created slice System Slice. [ OK ] Created slice system-getty.slice. [ OK ] Reached target Slices. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Journal Socket. Starting Journal Service... [ OK ] Started Journal Service. [ OK ] Reached target Paths. Mounting Debug File System... Mounting FUSE Control File System... Starting Create static device nodes in /dev... Mounting POSIX Message Queue File System... [...] [ OK ] Started Login Service. [ OK ] Started Permit User Sessions. Starting Console Getty... [ OK ] Started Console Getty. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login:
18 Bootable OS container [3/4] Instance properties OS Properties from inside the container CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login: root Password: Last login: Sat Apr 11 23:22:04 on console -bash-4.2# -bash-4.2# hostnamectl Static hostname: centos7c0 Icon name: computer-container Chassis: container Machine ID: afb4a0719ad842c99dd7cc704919a2fe Boot ID: 7c03b147c9114632b96bbeb2a462cf5a Virtualization: systemd-nspawn Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.16.7-7-desktop Architecture: x86_64 -bash-4.2# Container properties # machinectl MACHINE CONTAINER SERVICE centos container nspawn 1 machines listed. physnode1:~ # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-centos.scope │ ├─10159 /usr/lib/systemd/systemd │ └─system.slice │ ├─dbus.service │ │ └─10184 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ ├─systemd-journald.service │ │ └─10167 /usr/lib/systemd/systemd-journald │ ├─systemd-logind.service │ │ └─10183 /usr/lib/systemd/systemd-logind │ └─console-getty.service │ └─10189 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 ├─system.slice
19 Bootable OS container [4/4] Shutdown container • Shutdown container from the inside: ‣ Type: `init 0` or `poweroff` Note: will require running init in container ‣ Type: ^]^]^] ( 3x CTRL+[ ) • Shutdown container from the host ‣ machinectl terminate $CONT -bash-4.2# init 0 [ OK ] Removed slice user-0.slice. [ OK ] Removed slice system-getty.slice. Stopping Hostname Service... [ OK ] Stopped target Graphical Interface. [ OK ] Stopped target Multi-User System. [ OK ] Stopped target Login Prompts. Stopping Console Getty... Stopping Login Service... Stopping D-Bus System Message Bus... [ OK ] Stopped Login Service. [ OK ] Stopped D-Bus System Message Bus. [ OK ] Stopped Console Getty. Stopping Permit User Sessions... [ OK ] Stopped Permit User Sessions. [ OK ] Stopped target Remote File Systems. [ OK ] Stopped Hostname Service. [ OK ] Stopped target Basic System. [ OK ] Stopped target Slices. [ OK ] Removed slice User and Session Slice. [ OK ] Stopped target Paths. [ OK ] Stopped target Timers. [ OK ] Stopped target Sockets. [ OK ] Closed D-Bus System Message Bus Socket. [ OK ] Stopped target System Initialization. [ OK ] Stopped target Encrypted Volumes. Stopping Load/Save Random Seed... Stopping Update UTMP about System Reboot/Shutdown... [ OK ] Stopped target Swap. [ OK ] Stopped Update UTMP about System Reboot/Shutdown. [ OK ] Stopped Load/Save Random Seed. Stopping Create Volatile Files and Directories... [ OK ] Stopped Create Volatile Files and Directories. [ OK ] Reached target Shutdown. physnode1:/srv/containers #
20 Networking and systemd-nspawn containers Networking in container -bash-4.2# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14611sec preferred_lft 14611sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff -bash-4.2# md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf ‣ By default the nspawn container will inherit the network settings ‣ /etc/resolv.conf will be copied into container Networking at Host OS physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14433sec preferred_lft 14433sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff physnode1:~ # md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf
21 More advanced networking ‣ Create a virtual ethernet device, with name “vb-$machinename” ‣ Connect veth device to bridge “virbr0” systemd-nspawn -bD /srv/containers/opensuse132/ --network-bridge=virbr0 --network-veth virbr0 veth (host0) veth (vb-opensuse132c0) opensuse132 physnode1 opensuse132c0:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 2: host0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 36:e3:35:8d:8e:95 brd ff:ff:ff:ff:ff:ff opensuse132c0:~ # physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 29: vb-opensuse132c0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 0a:62:90:a4:b5:72 brd ff:ff:ff:ff:ff:ff physnode1:~ #
22 journald and systemd-nspawn containers • Integrating the journal of the host and the container # systemd-nspawn -bD /srv/containers/centos --link-journal=host
23 Containers as Service
24 Container as service • Install Apache and a few other packages • Create a machine-id for the container • Create systemd unit file #install Apache zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 apache2 timezone iproute2 rsyslog # set up machine-id systemd-nspawn -D /srv/containers/opensuse132/ systemd-machine-id-setup # unit file: cat <<EOF > /etc/systemd/system/opensuse132c0.service [Unit] Description=Start an openSUSE 13.2 container Wants=network.target nss-lookup.target After=network.target nss-lookup.target [Service] Type=notify PrivateTmp=true ExecStart=/usr/bin/systemd-nspawn -M opensuse132c0 -jD /srv/containers/opensuse132/ ExecStop=/usr/bin/machinectl terminate opensuse132c0 [Install] WantedBy=machines.target EOF
25 Managing containers nsenter • nsenter - run program with namespaces of other processes # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. # machinectl status opensuse132c0 opensuse132c0 Since: Sun 2015-04-12 03:54:18 CEST; 37s ago Leader: 17717 (systemd) Service: nspawn; class container Root: /srv/containers/opensuse132 Unit: machine-opensuse132c0.scope ├─17717 /usr/lib/systemd/systemd └─system.slice ├─dbus.service […] # nsenter --target 17717 --mount --uts --ipc --net –pid opensuse132c0:/ # opensuse132c0:/ # systemctl disable rsyslog rm '/etc/systemd/system/multi-user.target.wants/rsyslog.service' rm '/etc/systemd/system/syslog.service' opensuse132c0:/
26 Summary systemd-nspawn • Makes containers easy • Everyone familiar with “chroot” instantly “gets” systemd-nspawn • Does not have special dependencies, like e.g. docker • It is available on all modern Linux distro's
Thank you. 27 Questions?

Empfohlen

containerD
containerDcontainerD
containerDstrikr .
 
Video Drivers
Video DriversVideo Drivers
Video DriversAnil Kumar Pugalia
 
Xen Project Contributor Training Part2 : Processes and Conventions v1.1
Xen Project Contributor Training Part2 : Processes and Conventions v1.1Xen Project Contributor Training Part2 : Processes and Conventions v1.1
Xen Project Contributor Training Part2 : Processes and Conventions v1.1The Linux Foundation
 
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...The Linux Foundation
 
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Anne Nicolas
 
Ext4 filesystem(1)
Ext4 filesystem(1)Ext4 filesystem(1)
Ext4 filesystem(1)Yoshihiro Yunomae
 
サポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティング
サポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティングサポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティング
サポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティングCitrix Systems Japan
 
仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディングTakuya ASADA
 

Empfohlen

containerD
containerDcontainerD
containerDstrikr .
 
Video Drivers
Video DriversVideo Drivers
Video DriversAnil Kumar Pugalia
 
Xen Project Contributor Training Part2 : Processes and Conventions v1.1
Xen Project Contributor Training Part2 : Processes and Conventions v1.1Xen Project Contributor Training Part2 : Processes and Conventions v1.1
Xen Project Contributor Training Part2 : Processes and Conventions v1.1The Linux Foundation
 
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...
XPDDS17: PL011 UART Emulation in Xen on ARM - Bhupinder Thakur, Qualcomm Data...The Linux Foundation
 
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Anne Nicolas
 
Ext4 filesystem(1)
Ext4 filesystem(1)Ext4 filesystem(1)
Ext4 filesystem(1)Yoshihiro Yunomae
 
サポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティング
サポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティングサポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティング
サポートスペシャリストが語るXenDesktop / XenApp環境での最速トラブルシューティングCitrix Systems Japan
 
仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディングTakuya ASADA
 
PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021
PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021
PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021Preferred Networks
 
Improving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardImproving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardHeechul Yun
 
The ideal and reality of NVDIMM RAS
The ideal and reality of NVDIMM RASThe ideal and reality of NVDIMM RAS
The ideal and reality of NVDIMM RASYasunori Goto
 
Introduction to yocto
Introduction to yoctoIntroduction to yocto
Introduction to yoctoAlex Gonzalez
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
Xen Project Contributor Training - Part 1 introduction v1.0
Xen Project Contributor Training - Part 1 introduction v1.0Xen Project Contributor Training - Part 1 introduction v1.0
Xen Project Contributor Training - Part 1 introduction v1.0The Linux Foundation
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeStefano Stabellini
 
Linux Namespaces
Linux NamespacesLinux Namespaces
Linux NamespacesMasami Ichikawa
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectYen-Chin Lee
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングTomoya Hibi
 
BeagleBone Black Bootloaders
BeagleBone Black BootloadersBeagleBone Black Bootloaders
BeagleBone Black BootloadersSysPlay eLearning Academy for You
 
Character Drivers
Character DriversCharacter Drivers
Character DriversAnil Kumar Pugalia
 
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)Alexandre Gouaillard
 
Linux basics
Linux basicsLinux basics
Linux basicsSantosh Khadsare
 
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月VirtualTech Japan Inc.
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101Cumulus Networks
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless KubernetesAkihiro Suda
 
IBM Think 2020 Openshift on IBM Z and LinuxONE
IBM Think 2020 Openshift on IBM Z and LinuxONEIBM Think 2020 Openshift on IBM Z and LinuxONE
IBM Think 2020 Openshift on IBM Z and LinuxONEFilipe Miranda
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 

Weitere ähnliche Inhalte

Was ist angesagt?

PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021
PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021
PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021Preferred Networks
 
Improving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardImproving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardHeechul Yun
 
The ideal and reality of NVDIMM RAS
The ideal and reality of NVDIMM RASThe ideal and reality of NVDIMM RAS
The ideal and reality of NVDIMM RASYasunori Goto
 
Introduction to yocto
Introduction to yoctoIntroduction to yocto
Introduction to yoctoAlex Gonzalez
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
Xen Project Contributor Training - Part 1 introduction v1.0
Xen Project Contributor Training - Part 1 introduction v1.0Xen Project Contributor Training - Part 1 introduction v1.0
Xen Project Contributor Training - Part 1 introduction v1.0The Linux Foundation
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeStefano Stabellini
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectYen-Chin Lee
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングTomoya Hibi
 
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)Alexandre Gouaillard
 
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月VirtualTech Japan Inc.
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101Cumulus Networks
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless KubernetesAkihiro Suda
 
IBM Think 2020 Openshift on IBM Z and LinuxONE
IBM Think 2020 Openshift on IBM Z and LinuxONEIBM Think 2020 Openshift on IBM Z and LinuxONE
IBM Think 2020 Openshift on IBM Z and LinuxONEFilipe Miranda
 

Was ist angesagt? (20)

PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021
PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021
PFNのML/DL基盤を支えるKubernetesにおける自動化 / DevOpsDays Tokyo 2021
 
Improving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuardImproving Real-Time Performance on Multicore Platforms using MemGuard
Improving Real-Time Performance on Multicore Platforms using MemGuard
 
The ideal and reality of NVDIMM RAS
The ideal and reality of NVDIMM RASThe ideal and reality of NVDIMM RAS
The ideal and reality of NVDIMM RAS
 
Introduction to yocto
Introduction to yoctoIntroduction to yocto
Introduction to yocto
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
Xen Project Contributor Training - Part 1 introduction v1.0
Xen Project Contributor Training - Part 1 introduction v1.0Xen Project Contributor Training - Part 1 introduction v1.0
Xen Project Contributor Training - Part 1 introduction v1.0
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edge
 
Linux Namespaces
Linux NamespacesLinux Namespaces
Linux Namespaces
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
Build your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto projectBuild your own embedded linux distributions by yocto project
Build your own embedded linux distributions by yocto project
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキング
 
BeagleBone Black Bootloaders
BeagleBone Black BootloadersBeagleBone Black Bootloaders
BeagleBone Black Bootloaders
 
Character Drivers
Character DriversCharacter Drivers
Character Drivers
 
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
IIT-RTC 2017 Qt WebRTC Tutorial (Qt Janus Client)
 
Linux basics
Linux basicsLinux basics
Linux basics
 
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月
OpenStack-Ansibleで作るOpenStack HA環境 手順書解説 - OpenStack最新情報セミナー 2016年3月
 
Microservices Network Architecture 101
Microservices Network Architecture 101Microservices Network Architecture 101
Microservices Network Architecture 101
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless Kubernetes
 
IBM Think 2020 Openshift on IBM Z and LinuxONE
IBM Think 2020 Openshift on IBM Z and LinuxONEIBM Think 2020 Openshift on IBM Z and LinuxONE
IBM Think 2020 Openshift on IBM Z and LinuxONE
 

Ähnlich wie Containers with systemd-nspawn

Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
NFD9 - Matt Peterson, Data Center Operations
NFD9 - Matt Peterson, Data Center OperationsNFD9 - Matt Peterson, Data Center Operations
NFD9 - Matt Peterson, Data Center OperationsCumulus Networks
 
Interview questions
Interview questionsInterview questions
Interview questionsxavier john
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdfqqlove2
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdfsptlove
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdfsptlove
 

Ähnlich wie Containers with systemd-nspawn (20)

Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compact
 
NFD9 - Matt Peterson, Data Center Operations
NFD9 - Matt Peterson, Data Center OperationsNFD9 - Matt Peterson, Data Center Operations
NFD9 - Matt Peterson, Data Center Operations
 
KCC_Final.pdf
KCC_Final.pdfKCC_Final.pdf
KCC_Final.pdf
 
Jana treek 4
Jana treek 4Jana treek 4
Jana treek 4
 
unixtoolbox
unixtoolboxunixtoolbox
unixtoolbox
 
Interview questions
Interview questionsInterview questions
Interview questions
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
 
Unixtoolbox
UnixtoolboxUnixtoolbox
Unixtoolbox
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
 
 
Develop
DevelopDevelop
Develop
 
unixtoolbox.pdf
unixtoolbox.pdfunixtoolbox.pdf
unixtoolbox.pdf
 
 

Kürzlich hochgeladen

SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 

Kürzlich hochgeladen (20)

SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 

Containers with systemd-nspawn

  • 1. Containers with systemd-nspawn Gábor Nyers Consultant & Trainer @Trebut gnyers@trebut.com @gabornyers
  • 2. Agenda ● An example systemd-nspawn container ● What is systemd-nspawn and systemd ● Related Concept: Kernel CGroups ● Bootable containters ● Containers as Service ● Advanced topic: Socket Activation
  • 4. 4 A Simple Application Container • Start up container • List of processes • Try to install package ‣ Limited footprint and exposure! • On host OS: list kernel control groups: # systemd-nspawn -jD /srv/containers/opensuse132/ -M opensuse132c0 /bin/bash # opensuse132c0:~ # ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 04:16 ? 00:00:00 -bash root 43 1 0 04:18 ? 00:00:00 ps -ef # opensuse132c0:~ # zypper install wget -bash: zypper: command not found # # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. physnode1:~ # # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-opensuse132c0.scope │ └─18329 -bash […] # ps -ef -o pid,ppid,machine,cmd
  • 5. 5 Create application container • Bootstrap directory • Install a few packages # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/oss/ repo-oss # zypper --root /srv/containers/opensuse132/ addrepo http://download.opensuse.org/distribution/13.2/repo/non-oss/ repo-non-oss # zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 install bash procps coreutils vim
  • 6. 6 systemd-nspawn • What is systemd? • What is systemd-nspawn? • Adoption
  • 7. 7 What is systemd? 1/3 • a system- and session manager for Linux, • provides aggressive parallelization capabilities, (no shell during boot!) • uses socket and D-Bus activation for starting services, • offers on-demand starting of services, • keeps track of processes using Linux cgroups,
  • 8. 8 What is systemd? 2/3 • supports restoring the system's state to a predefined state, • maintains mount and auto-mount points, • provides dependency based service control logic, • provides replacement for a nr. of well-known tools, e.g.: udev, automount, inetd, consolekit and syslog, • a drop-in replacement for sysvinit
  • 9. 9 What is systemd? 3/3 There is a lot of criticism and opinions as well... • “It's not the UNIX way” referring to the “do one thing and do it well” maxim • “It's monolithic” • “It introduces too many dependencies” • (and worse) ... but we won't be addressing these today :-)
  • 10. 10 An aside: People and Innovation... “If I had asked people what they wanted, they would have said faster horses” Henry Ford
  • 11. 11 What is systemd-nspawn? • “chroot on steroids...” • Invented for debug and test of systemd development • Turns out to be a great container manager • systemd-nspawn vs. docker ‣ Management container vs. container+images ‣ Inherited networking vs. Need to set up networking
  • 12. 12 systemd adoption Distribution Added to repositories Enabled by default? Released as default SUSE Linux Enterprise v12 Yes Yes openSUSE v11.4 Yes v12.2 (2012) Fedora v15 (2011) Yes v15 (2011) Red Hat Linux Enterprise v7 (2014) Yes v7 (2014) Debian in 2012 Yes v8 (2015) Arch Linux in 2012 Yes 2012 Ubuntu v13.04 (2013) Yes v15.04 (2015) see also: http://en.wikipedia.org/wiki/Systemd#Adoption_and_reception
  • 13. 13 Related Concept • Kernel cgroups (independent of systemd)
  • 14. 14 Kernel Cgroups (Control Groups) • Linux Kernel facility allowing the grouping of processes (and their “children”) into a tree-structure hierarchy • Each group can be assigned a quota for these system resources: ‣ CPU ‣ RAM ‣ Disk I/O ‣ Network I/O Control groups hierarchy created by systemd ├─machine.slice │ └─machine-qemux2dsles1201.scope │ └─20958 /usr/bin/qemu-system-x86_64 -m... ├─user.slice │ ├─user-0.slice │ │ └─user@0.service │ │ ├─4322 /usr/lib/systemd/systemd --us... │ │ └─4323 (sd-pam) │ ├─user-1000.slice │ │ ├─session-560.scope │ │ │ ├─ 2810 /usr/bin/claws-mail │ │ │ ├─ 3035 /usr/lib64/firefox/firefox │ │ │ ├─ 3086 /usr/lib/mozilla/kmozillahel... │ │ │ ├─ 5459 /bin/bash │ │ │ ├─ 7854 /usr/bin/kwalletmanager --kw... │ │ ├─session-1.scope │ │ │ ├─4179 /bin/bash ./bridge start │ │ │ └─4182 dnsmasq --conf-file=mydnsmasq... │ │ └─user@1000.service │ │ ├─1891 /usr/lib/systemd/systemd --us... │ │ └─1892 (sd-pam) │ └─user-489.slice │ └─user@489.service │ ├─1703 /usr/lib/systemd/systemd --us... │ └─1704 (sd-pam) └─system.slice ├─libvirtd.service │ └─4008 /usr/sbin/libvirtd --listen ├─rsyslog.service │ └─985 /usr/sbin/rsyslogd -n ├─apache2.service │ ├─1254 /usr/sbin/httpd2-prefork -f /et... │ └─1840 /usr/sbin/httpd2-prefork -f /et...
  • 16. 16 Bootable OS container [1/4] Bootstrap • Host properties • Install YUM • Bootstrap RPM DB • Install CentOS 7 release package • Install a few package and their dependencies # hostnamectl Static hostname: physnode1.trebut.com Icon name: computer-laptop Chassis: laptop Machine ID: b4ea4eb15ab7c29b6cc20a47544e5eb7 Boot ID: 3c4e7b5067d247939b89d7e7b57c1132 Operating System: openSUSE 13.2 (Harlequin) (x86_64) CPE OS Name: cpe:/o:opensuse:opensuse:13.2 Kernel: Linux 3.16.7-7-desktop Architecture: x86-64 # zypper install yum # rpm --root /srv/containers/centos/ --initdb # rpm --root /srv/containers/centos/ -ihv http://mirror.centos.org/centos/7.1.1503/os/x86_64/Packages/centos- release-7-1.1503.el7.centos.2.8.x86_64.rpm # yum -y --nogpg --releasever=7 --installroot=/srv/containers/centos/ install systemd passwd yum vim-minimal
  • 17. 17 Bootable OS container [2/4] Boot container • Boot container ‣ systemd-nspawn -bD /srv/containers/centos/ # systemd-nspawn -bD /srv/containers/centos/ systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'systemd-nspawn'. Welcome to CentOS Linux 7 (Core)! Set hostname to <centos7c0>. [ OK ] Reached target Remote File Systems. [ OK ] Created slice Root Slice. [ OK ] Created slice User and Session Slice. [ OK ] Created slice System Slice. [ OK ] Created slice system-getty.slice. [ OK ] Reached target Slices. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Journal Socket. Starting Journal Service... [ OK ] Started Journal Service. [ OK ] Reached target Paths. Mounting Debug File System... Mounting FUSE Control File System... Starting Create static device nodes in /dev... Mounting POSIX Message Queue File System... [...] [ OK ] Started Login Service. [ OK ] Started Permit User Sessions. Starting Console Getty... [ OK ] Started Console Getty. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login:
  • 18. 18 Bootable OS container [3/4] Instance properties OS Properties from inside the container CentOS Linux 7 (Core) Kernel 3.16.7-7-desktop on an x86_64 centos7c0 login: root Password: Last login: Sat Apr 11 23:22:04 on console -bash-4.2# -bash-4.2# hostnamectl Static hostname: centos7c0 Icon name: computer-container Chassis: container Machine ID: afb4a0719ad842c99dd7cc704919a2fe Boot ID: 7c03b147c9114632b96bbeb2a462cf5a Virtualization: systemd-nspawn Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.16.7-7-desktop Architecture: x86_64 -bash-4.2# Container properties # machinectl MACHINE CONTAINER SERVICE centos container nspawn 1 machines listed. physnode1:~ # systemd-cgls ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21 ├─machine.slice │ └─machine-centos.scope │ ├─10159 /usr/lib/systemd/systemd │ └─system.slice │ ├─dbus.service │ │ └─10184 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ ├─systemd-journald.service │ │ └─10167 /usr/lib/systemd/systemd-journald │ ├─systemd-logind.service │ │ └─10183 /usr/lib/systemd/systemd-logind │ └─console-getty.service │ └─10189 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 ├─system.slice
  • 19. 19 Bootable OS container [4/4] Shutdown container • Shutdown container from the inside: ‣ Type: `init 0` or `poweroff` Note: will require running init in container ‣ Type: ^]^]^] ( 3x CTRL+[ ) • Shutdown container from the host ‣ machinectl terminate $CONT -bash-4.2# init 0 [ OK ] Removed slice user-0.slice. [ OK ] Removed slice system-getty.slice. Stopping Hostname Service... [ OK ] Stopped target Graphical Interface. [ OK ] Stopped target Multi-User System. [ OK ] Stopped target Login Prompts. Stopping Console Getty... Stopping Login Service... Stopping D-Bus System Message Bus... [ OK ] Stopped Login Service. [ OK ] Stopped D-Bus System Message Bus. [ OK ] Stopped Console Getty. Stopping Permit User Sessions... [ OK ] Stopped Permit User Sessions. [ OK ] Stopped target Remote File Systems. [ OK ] Stopped Hostname Service. [ OK ] Stopped target Basic System. [ OK ] Stopped target Slices. [ OK ] Removed slice User and Session Slice. [ OK ] Stopped target Paths. [ OK ] Stopped target Timers. [ OK ] Stopped target Sockets. [ OK ] Closed D-Bus System Message Bus Socket. [ OK ] Stopped target System Initialization. [ OK ] Stopped target Encrypted Volumes. Stopping Load/Save Random Seed... Stopping Update UTMP about System Reboot/Shutdown... [ OK ] Stopped target Swap. [ OK ] Stopped Update UTMP about System Reboot/Shutdown. [ OK ] Stopped Load/Save Random Seed. Stopping Create Volatile Files and Directories... [ OK ] Stopped Create Volatile Files and Directories. [ OK ] Reached target Shutdown. physnode1:/srv/containers #
  • 20. 20 Networking and systemd-nspawn containers Networking in container -bash-4.2# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14611sec preferred_lft 14611sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff -bash-4.2# md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf ‣ By default the nspawn container will inherit the network settings ‣ /etc/resolv.conf will be copied into container Networking at Host OS physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: wlp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 10.1.2.27/21 brd 10.1.7.255 scope global dynamic wlp12s0 valid_lft 14433sec preferred_lft 14433sec inet6 fe80::224:d6ff:fe89:521e/64 scope link valid_lft forever preferred_lft forever 3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:aa:bb:cc:dd:ee brd ff:ff:ff:ff:ff:ff physnode1:~ # md5sum /etc/resolv.conf a92a6e440cd677ad17748aa29c5a7333 /etc/resolv.conf
  • 21. 21 More advanced networking ‣ Create a virtual ethernet device, with name “vb-$machinename” ‣ Connect veth device to bridge “virbr0” systemd-nspawn -bD /srv/containers/opensuse132/ --network-bridge=virbr0 --network-veth virbr0 veth (host0) veth (vb-opensuse132c0) opensuse132 physnode1 opensuse132c0:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 2: host0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 36:e3:35:8d:8e:95 brd ff:ff:ff:ff:ff:ff opensuse132c0:~ # physnode1:~ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group [...] 29: vb-opensuse132c0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 0a:62:90:a4:b5:72 brd ff:ff:ff:ff:ff:ff physnode1:~ #
  • 22. 22 journald and systemd-nspawn containers • Integrating the journal of the host and the container # systemd-nspawn -bD /srv/containers/centos --link-journal=host
  • 24. 24 Container as service • Install Apache and a few other packages • Create a machine-id for the container • Create systemd unit file #install Apache zypper --root /srv/containers/opensuse132/ install openSUSE-release-13.2 apache2 timezone iproute2 rsyslog # set up machine-id systemd-nspawn -D /srv/containers/opensuse132/ systemd-machine-id-setup # unit file: cat <<EOF > /etc/systemd/system/opensuse132c0.service [Unit] Description=Start an openSUSE 13.2 container Wants=network.target nss-lookup.target After=network.target nss-lookup.target [Service] Type=notify PrivateTmp=true ExecStart=/usr/bin/systemd-nspawn -M opensuse132c0 -jD /srv/containers/opensuse132/ ExecStop=/usr/bin/machinectl terminate opensuse132c0 [Install] WantedBy=machines.target EOF
  • 25. 25 Managing containers nsenter • nsenter - run program with namespaces of other processes # machinectl MACHINE CONTAINER SERVICE opensuse132c0 container nspawn 1 machines listed. # machinectl status opensuse132c0 opensuse132c0 Since: Sun 2015-04-12 03:54:18 CEST; 37s ago Leader: 17717 (systemd) Service: nspawn; class container Root: /srv/containers/opensuse132 Unit: machine-opensuse132c0.scope ├─17717 /usr/lib/systemd/systemd └─system.slice ├─dbus.service […] # nsenter --target 17717 --mount --uts --ipc --net –pid opensuse132c0:/ # opensuse132c0:/ # systemctl disable rsyslog rm '/etc/systemd/system/multi-user.target.wants/rsyslog.service' rm '/etc/systemd/system/syslog.service' opensuse132c0:/
  • 26. 26 Summary systemd-nspawn • Makes containers easy • Everyone familiar with “chroot” instantly “gets” systemd-nspawn • Does not have special dependencies, like e.g. docker • It is available on all modern Linux distro's