Hi again all, TL;DR: would it be possible (or make sense) to have systemd Match rules for network units that could match on some artifact of the network the link is attached to like vlan tag, router advertisement, wireless access point or gateway mac, etc.?
So, the original motivation for this question comes from a web hosting platform we developed that uses something like lightweight pre-containers for running multiple apache instances per VM. Multiple instances per VM, each running as their own user, in order to avoid the overhead of full on VMs for each apache (which are generally mostly idle) without the performance overhead of something like suexec. In order to run them each as their own user, we bound them each to their own IPv6 address [2]. A separate reverse proxy setup provides IPv4 connectivity, caching, security filters, etc. Anyways, in the past all of this dependency and setup madness was managed with some Perl scripts and a database that would just setup appropriate conf files on disk, addresses on the appropriate network interfaces (there are between two or four on each node), and environment variables before calling the standard sysv init script multiple times to start each instance. As I'm thinking about how I could move towards a systemd integrated system, I'm hoping to summarize this process to just stamping out (possibly instanced) apache service unit files, php-fpm unit files, maybe some slice unit files for arranging them into appropriate cgroup hierarchies, maybe some lightweight container features like fs namespaces, probably grouped by some target(s) for handling batch operations, etc., and just make systemd manage the process dependencies starting/stopping/monitoring/etc. However, the missing bit then would be network address assignment for the various instances to the right interfaces. Ideally, I'd just stamp out network unit files and have the apache instance units depend upon that, but the trouble is that traditionally NIC naming hasn't always been consistent in the past. I've read through [1], but it doesn't really provide what I'm looking for. Physical layout of the nic-port-types is semi interesting and perhaps consistent, but network operator error may result in a misassigned vlan port, or simply the wrong cable to the wrong port (which can be true for physical or virtual realms unfortunately), etc. What I did in the past to work around that was to use ndisc6 or something similar to verify that the expected interface had the expected network properties - in this case a router advertisement. Something similar in a Match section in systemd network units I would think could be useful. It could also be extended to other ideas like which wireless access point you're attached to at the moment, or what the MAC address of the gateway is that DHCP assigned to you, or what tagged vlan attributes you see on the wire, etc. That could be used to fire off other configuration events, especially in the case of mobile clients, when systemd discovers via network artifacts that the machine has moved to a new location and the user may want to perform some extra config actions, a backup job, etc. The only other way I can think of to emulate this might be to write a series of udev rules that executed the appropriate discovery and matching commands and then assigned interface alias names and then match on that in the network units. For instance, through RAs or VLAN tags I might determine that the interface is on VLAN 123, so I create an interface alias of vlan123, and then use network unit rules to match on that name when the link is up and an appropriate service registers a need for the address. I haven't dug through udev enough to try that yet, but it seems too procedural to me for such a general sort of desire. I like the semi-declaritive style of configuration that systemd generally enables. I guess the other option would be to just make them standalone Exec... statement units like I did before, but again that seems too proceedural to me. Make sense? Thoughts? Thanks, Brian [1] < https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ > [2] Sidenote: In the past I've used an old trick of setting the preferred_lft to 0 for IPv6 addresses that I wanted to be available to services, but not selected for outbound connections from the host. This was basically to help influence the usual source address selection criteria which tries to avoid "deprecated" addresses. I didn't see a way to specify that in the systemd.network man page. Is there one that I'm missing, or is that another case for an Exec... statement?
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
