-
Notifications
You must be signed in to change notification settings - Fork 1
Systemd nspawn container
A container adds a layer of isolation and abstraction, allowing to start another instance of a Linux distribution using the kernel of the main Linux host.
On Linux, containers are implemented using the namespace functionality.
Namespaces are a system resource abstraction that allow different processes to view different instances of a subsystem.
poppy have three btrs subvolumes with no nested subvolumes: rootvol, etc, var. Each of these subvolumes are mounted separatly in the host fstab. This setting is not favored by everyone and part of users would indeed follow this path: rootvol, rootvol/etc, rootvol/var. This flavor makes snapshots less easy to manage, thus the choice of non nested subvolumes.
- download a basic fedora image
- mount poppy filesystem
- start the image as a container
- install Fedora server on the Host
# machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/22/Cloud/Images/x86_64/Fedora-Cloud-Base-22_Beta-20150415-x86_64.raw.xz
$ tar Fedora-Cloud-Base-22_Beta-20150415.x86_64.raw.xz
# mount -o subvol=rootvol /dev/sdb1 /var/lib/machines/poppy
A container does not see external filesystem. Thus, when inside the container, it will be impossible to tell to install Fedora on /var/lib/machines/poppy on our host. The trick is to bind our install directory to any of container directory. As we have three directories to bind (/, /etc, /var), first boot the raw image to create binding directories:
# systemd-nspawn -M Fedora-Cloud-Base-22_Beta-20150415.x86_64.raw
[root@Fedora-Cloud-Base-22_Beta-20150415 ~]# mkdir -p /mnt/{etc,var}
Ctrl + d to exit the container
# systemd-nspawn -M Fedora-Cloud-Base-22_Beta-20150415.x86_64.raw --bind=/var/lib/machines/poppy:/mnt --bind=/var/lib/machines/poppy/etc:/mnt/etc --bind=/var/lib/machines/poppy/var:/mnt/var
[root@Fedora-Cloud-Base-22_Beta-20150415 ~]#dnf -y --releasever=22 --nogpg --installroot=/mnt --disablerepo='*' --enablerepo=fedora install systemd passwd dnf fedora-release-server
...................
!Complete
# systemd-nspawn -D /var/lib/machines/poppy
Spawning container mycontainer on /var/lib/machines/poppy
Press ^] three times within 1s to kill container.
-bash-4.2# passwd
.......
# systemd-nspawn -bD /var/lib/machines/poppy
Spawning container poppy on /var/lib/machines/poppy.
Press ^] three times within 1s to kill container.
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization 'systemd-nspawn'.
Detected architecture 'x86-64'.
Welcome to Fedora 22 (Twenty Two)!
.................
Fedora release 22 (Twenty Two)
Kernel 3.19.3-3-apparmor on an x86_64 (console)
poppy login:
systemctl is one of the main command to control the host, machinectl for managing container and journalctl for log viewing.
systemd-machined is a tiny daemon that tracks locally running Virtual Machines and Containers in various ways.
# systemctl enable machined
# systemctl start machined
$ systemctl status systemd-machined
● systemd-machined.service - Virtual Machine and Container Registration Service
Loaded: loaded (/usr/lib/systemd/system/systemd-machined.service; static; vendor preset: disabled)
Active: active (running) since Mon 2015-04-27 15:50:54 CEST; 4h 17min ago
Docs: man:systemd-machined.service(8)
http://www.freedesktop.org/wiki/Software/systemd/machined
Main PID: 8632 (systemd-machine)
Status: "Processing requests..."
CGroup: /system.slice/systemd-machined.service
└─8632 /usr/lib/systemd/systemd-machined
Apr 27 15:50:54 hortensia systemd[1]: Starting Virtual Machine and Container Registration Service...
Apr 27 15:50:54 hortensia systemd[1]: Started Virtual Machine and Container Registration Service.
Apr 27 15:51:17 hortensia systemd-machined[8632]: New machine poppy.
# systemctl enable systemd-nspawn@poppy
# systemctl start systemd-nspawn@poppy
% machinectl list
MACHINE CLASS SERVICE
poppy container nspawn
1 machines listed.
$ hostnamectl status
Static hostname: thetradinghall.com
Icon name: computer-container
Chassis: container
Machine ID: 59b720b533834a4eafe07a62c2482266
Boot ID: 2d553605766b49e49e82fee6c756d5da
Virtualization: systemd-nspawn
Operating System: Fedora 25 (Server Edition)
CPE OS Name: cpe:/o:fedoraproject:fedora:25
Kernel: Linux 4.11.3-1-hortensia
Architecture: x86-64
```H
### Login container when already booted
Connected to machine poppy. Press ^] three times within 1s to exit session.
Fedora release 22 (Twenty Two) Kernel 3.19.3-3-apparmor on an x86_64 (pts/0)
poppy login: ....
Exit session:
Ctrl + d OR Ctrl + 3 x ]
### Shut-down container
### Container loggin informations
% systemd-cgls
................
│ ├─system-systemd\x2dnspawn.slice
│ │ └─systemd-nspawn@poppy.service
│ │ ├─5451 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --
│ │ ├─5453 /usr/lib/systemd/systemd
│ │ ├─system.slice
│ │ │ ├─dbus.service
│ │ │ │ └─5490 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activatio
│ │ │ ├─firewalld.service
│ │ │ │ └─5491 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
│ │ │ ├─crond.service
│ │ │ │ └─5497 /usr/sbin/crond -n
│ │ │ ├─systemd-journald.service
│ │ │ │ └─5476 /usr/lib/systemd/systemd-journald
│ │ │ ├─systemd-logind.service
│ │ │ │ └─5489 /usr/lib/systemd/systemd-logind
│ │ │ ├─polkit.service
│ │ │ │ └─5563 /usr/lib/polkit-1/polkitd --no-debug
│ │ │ ├─NetworkManager.service
│ │ │ │ └─5550 /usr/sbin/NetworkManager --no-daemon
│ │ │ └─console-getty.service
│ │ │ └─5496 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
### The -M switch
Systemd management commands can be used with the **-M** switch to introspect the container
List all active units in the container
Kernel boot messages
## Ressources management
This is done with [Cgroups kernel feature](https://wiki.archlinux.org/index.php/Cgroups). It limit, police and account the resource usage of certain processes.
Creating and managing new groups is done in the host with the ```cgcreate``` command. ```lssubys``` lists all resources manageable:
% lssubsys cpuset cpu,cpuacct blkio memory devices freezer net_cls
Main directories is ```/sys/fs/cgroup```.
Changing values is done with the echo command.
## Ressources
* [Archlinux wiki](https://wiki.archlinux.org/index.php/Systemd-nspawn)
* [Container management](http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/)
* [Systemd-nspawn man page](http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html)
* [LSE - systemd nspawn presentation](https://lse.epita.fr/data/lt/2015-02-10/lt-2015-02-10-Remi_Audebert-systemd_nspawn.pdf)
* [kumar-pravin blogspot](http://kumar-pravin.blogspot.ch/2015/02/create-lightweight-containers-using.html)
* [Linux containers](http://moi.vonos.net/linux/linux-containers)
* [systemd-nspawn and overlayfs](https://www.insecure.ws/linux/systemd_nspawn.html)
* [Core OS: getting start with systemd](https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/)
* [0pointer blog](http://0pointer.net/blog/index2.html)