Re: [systemd-devel] systemd config recipes for namespace-isolated webapps
On Wed, 03.07.13 11:47, Martin Langhoff (martin.langh...@gmail.com) wrote: On Wed, Jul 3, 2013 at 10:49 AM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: - How do I tell several services to use the same cg? They can't all use the same cg, because systemd uses groups to group units. But they can share a slice of resources, by assigning a group of services to the same systemd .slice. This part is currently in fast development, but should be usable already. In F19 / systemd v209, is there any usable way to have slices or something resembling them? No, this will only be in F20. Lennart -- Lennart Poettering - Red Hat, Inc. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd config recipes for namespace-isolated webapps
On Wed, Jul 3, 2013 at 12:53 AM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: I haven't really tried anythng like what you describe, but in general both container and container-less approaches should work. Thanks for your reply. Yes, I get the sense that in general, it should work. As usual, the devil's in the details... In both container and container-less cases... - How do I handle cronjobs? - How do I tell several services to use the same cg? Then... if I setup a single chroot and try to launch many containers on top of it... - does the stateless service work? - how can I key stateless writable dirs on a per-container instance? cheers, m -- martin.langh...@gmail.com - ask interesting questions - don't get distracted with shiny stuff - working code first ~ http://docs.moodle.org/en/User:Martin_Langhoff ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd config recipes for namespace-isolated webapps
On Wed, Jul 03, 2013 at 07:40:33AM -0400, Martin Langhoff wrote: On Wed, Jul 3, 2013 at 12:53 AM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: I haven't really tried anythng like what you describe, but in general both container and container-less approaches should work. Thanks for your reply. Yes, I get the sense that in general, it should work. As usual, the devil's in the details... In both container and container-less cases... - How do I handle cronjobs? With systemd .timers and systemd .services activated by those timers. If you mean real cronjobs, I don't know. - How do I tell several services to use the same cg? They can't all use the same cg, because systemd uses groups to group units. But they can share a slice of resources, by assigning a group of services to the same systemd .slice. This part is currently in fast development, but should be usable already. Then... if I setup a single chroot and try to launch many containers on top of it... - does the stateless service work? In general, systemd is happy to only write to /run, which won't be shared, so going with an read-only root should work. - how can I key stateless writable dirs on a per-container instance? You can add a template .service which will mount some directory, let's say /var/lib/container/etc, and make it PartOf the .service launching the container. IIRC, templated .mount units are not possible currently, but the same should be achievable with an explicit mount command. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd config recipes for namespace-isolated webapps
On Wed, Jul 3, 2013 at 10:49 AM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: - How do I tell several services to use the same cg? They can't all use the same cg, because systemd uses groups to group units. But they can share a slice of resources, by assigning a group of services to the same systemd .slice. This part is currently in fast development, but should be usable already. In F19 / systemd v209, is there any usable way to have slices or something resembling them? thanks! m -- martin.langh...@gmail.com - ask interesting questions - don't get distracted with shiny stuff - working code first ~ http://docs.moodle.org/en/User:Martin_Langhoff ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd config recipes for namespace-isolated webapps
Hi folks!
At OLPC, I got an early chance to use and abuse systemd, and I like it
quite a bit.
We currently have ~500 identical VMs (created from kickstarts, kept
almost in sync via satellite), each hosts apache/mysql daemons, and 2
installs of the same PHP webapp (production, test).
Goal is to reduce the number of VMs radically, as memory and storage
overheads are killing us.
I am now looking at systemd (under F-19, RHEL7 later) and wondering
whether there are any recipes that can guide me a bit through setting
up webapps in CGs with suitable namespaces.
What I _think_ I need is
0 - one target per customer, which in turn pulls in
1 - apache
2 - mysql
3 - cronjobs
4 - apache/tomcat/java setup {for some customers}
5 - sftp -- namespace-aware?
with 1,2 and 3 set to use the same CG. And stopping the target should
ensure all the CG is down/dead.
If possible, I prefer to avoid containers (and the associated chroot
maintenance).
High on the list of goals is to protect customers from data leakage,
so guidelines towards effective use of namespaces are sought here.
Pointers, hints, anyone else working in a similar direction?
cheers,
martin
ps: I have read all/most of LWN and Lennart's articles, but welcome a
gentle pointer if relevant...
--
martin.langh...@gmail.com
- ask interesting questions
- don't get distracted with shiny stuff - working code first
~ http://docs.moodle.org/en/User:Martin_Langhoff
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd config recipes for namespace-isolated webapps
On Tue, Jul 02, 2013 at 05:18:57PM -0400, Martin Langhoff wrote:
Hi folks!
At OLPC, I got an early chance to use and abuse systemd, and I like it
quite a bit.
We currently have ~500 identical VMs (created from kickstarts, kept
almost in sync via satellite), each hosts apache/mysql daemons, and 2
installs of the same PHP webapp (production, test).
Goal is to reduce the number of VMs radically, as memory and storage
overheads are killing us.
I am now looking at systemd (under F-19, RHEL7 later) and wondering
whether there are any recipes that can guide me a bit through setting
up webapps in CGs with suitable namespaces.
What I _think_ I need is
0 - one target per customer, which in turn pulls in
1 - apache
2 - mysql
3 - cronjobs
4 - apache/tomcat/java setup {for some customers}
5 - sftp -- namespace-aware?
with 1,2 and 3 set to use the same CG. And stopping the target should
ensure all the CG is down/dead.
If possible, I prefer to avoid containers (and the associated chroot
maintenance).
Hi,
I haven't really tried anythng like what you describe, but in general
both container and container-less approaches should work.
with a container: you can have socket activated systemd-nspawn
instance, which boots to a default target containing your services
1-5 + whatever special you want for that customer. It is currently
not possible to launch a systemd-nspawn container directly from /,
but you can do a bind mount to somewhere else. If by chroot
maintanance you mean the need to copy stuff between / and the
container, then it can be avoided this way. Launching systemd-nspawn
containers directly from / is on the list of planned things.
systemd-nspawn@.service already provides part of the installation.
container-less: a bunch of template units with dependencies on one
another should do what you need (instance units can refer to each
other). You can use InaccessibleDirectories= and other settings to
limit what those units can see.
The version with containers is probably slightly more flexible
and will allow more customizations for each customer. The other
one has probably lower overhead. But both should work.
HTH,
Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
