Ua hahai mākou i ke kumuhana o ka hoʻohana ʻana i ka systemd i loko o nā pahu no ka manawa lōʻihi. I ka makahiki 2014, ua kākau kā mākou ʻenekini palekana ʻo Daniel Walsh i kahi ʻatikala
Ma kēia ʻatikala e hōʻike mākou i nā mea i loli i ka manawa a pehea e hiki ai iā Podman ke kōkua iā mākou i kēia mea.
Nui nā kumu e holo ai i ka systemd i loko o kahi pahu, e like me:
- Nā pahu lawelawe lehulehu - makemake nā poʻe he nui e huki i kā lākou mau lawelawe lawelawe lehulehu mai nā mīkini virtual a holo i loko o nā pahu. ʻOi aku ka maikaʻi, ʻoiaʻiʻo, e uhaʻi i kēlā mau noi i nā microservices, akā ʻaʻole ʻike ka poʻe a pau pehea e hana ai i kēia a ʻaʻole wale ka manawa. No laila, ʻo ka holo ʻana i nā noi e like me nā lawelawe i hoʻokuʻu ʻia e systemd mai nā faila unit i mea kūpono loa.
- Systemd Unit Files - ʻO ka hapa nui o nā noi e holo ana i loko o nā ipu i kūkulu ʻia mai ke code i holo mua ma nā mīkini virtual a kino paha. Loaʻa i kēia mau noi kahi faila ʻāpana i kākau ʻia no kēia mau noi a maopopo i ke ʻano o ka hoʻomaka ʻana. No laila ʻoi aku ka maikaʻi o ka hoʻomaka ʻana i nā lawelawe me ka hoʻohana ʻana i nā ala i kākoʻo ʻia, ma mua o ka hacking i kāu lawelawe init.
- ʻO Systemd kahi luna kaʻina hana. Mālama ʻo ia i nā lawelawe (pani, hoʻomaka hou i nā lawelawe, a pepehi paha i nā kaʻina zombie) ʻoi aku ka maikaʻi ma mua o nā mea hana ʻē aʻe.
ʻO kēlā ʻōlelo, nui nā kumu e holo ʻole ai i ka systemd i nā pahu. ʻO ka mea nui ʻo ka systemd/journald e hoʻokele i ka hoʻopuka o nā ipu, a me nā mea hana like
Ka hiki ana mai o Podman
Hauʻoli mākou i ka hōʻike ʻana ua neʻe hope ke kūlana. Ua hoʻoholo ka hui i kuleana no ka holo ʻana i nā ipu ma Red Hat e hoʻomohala
Nui nā poʻe e hana i kēia.
ʻAʻole māua me kaʻu Podman e kūʻē i nā ipu e pili ana i ka systemd. Ma hope o nā mea a pau, ʻo Systemd ka Linux init subsystem maʻamau i hoʻohana ʻia, a ʻaʻole e ʻae iā ia e hana pono i loko o nā ipu, ʻo ia hoʻi ka nānā ʻole ʻana i ke ʻano o nā tausani o ka poʻe i maʻa i ka holo ʻana i nā ipu.
ʻIke ʻo Podman i ka mea e hana ai e hana pono i ka systemd i kahi pahu. Pono ia i nā mea e like me ke kau ʻana i nā tmpfs ma /run a me /tmp. Makemake ʻo ia e hoʻohana ʻia ka "containerized" environment a manaʻo ʻo ia e ʻae ʻia e kākau i kāna ʻāpana o ka papa kuhikuhi cgroup a i ka waihona /var/log/journald.
Ke hoʻomaka ʻoe i kahi pahu i loko o ke kauoha mua he init a systemd, hoʻonohonoho pono ʻo Podman i nā tmpfs a me Cgroups e hōʻoia i ka hoʻomaka ʻana o ka systemd me ka pilikia ʻole. No ka pale ʻana i kēia ʻano hoʻomaka kaʻa, e hoʻohana i ke koho --systemd=false. E ʻoluʻolu e hoʻohana wale ʻo Podman i ke ʻano systemd ke ʻike ʻo ia e pono e holo i kahi kauoha systemd a i ʻole init.
Eia kahi ʻāpana mai ka manual:
holo kanaka podman
...–systemd=ʻoiaʻiʻo|hewa
Ke holo nei i kahi ipu ma ke ʻano systemd. Hoʻohana ʻia e ka paʻamau.
Inā holo ʻoe i kahi kauoha systemd a i ʻole init i loko o kahi pahu, e hoʻonohonoho ʻo Podman i nā wahi mauna tmpfs ma nā papa kuhikuhi aʻe:
/ holo, / holo / laka, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
ʻO ka hōʻailona hoʻomaha paʻamau ʻo SIGRTMIN+3.
ʻAe kēia mau mea i ka systemd e holo i loko o kahi pahu pani me ka ʻole o nā hoʻololi.
NĀ MEA: hoʻāʻo ʻo systemd e kākau i ka cgroup filesystem. Eia naʻe, pale ʻo SELinux i nā pahu mai ka hana ʻana i kēia ma ke ʻano maʻamau. No ka hoʻā ʻana i ke kākau ʻana, hoʻā i ka container_manage_cgroup boolean parameter:
setsebool -P container_manage_cgroup ʻoiaʻiʻo
E nānā i ke ʻano o ka Dockerfile no ka holo ʻana i ka systemd i kahi pahu e hoʻohana ana iā Podman:
# cat Dockerfile
FROM fedora
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
O ia wale nō.
I kēia manawa, hui mākou i ka ipu:
# podman build -t systemd .
Haʻi mākou iā SELinux e ʻae i ka systemd e hoʻololi i ka hoʻonohonoho Cgroups:
# setsebool -P container_manage_cgroup true
Nui nā poʻe, ma ke ala, poina i kēia ʻanuʻu. ʻO ka mea pōmaikaʻi, pono e hana ʻia i hoʻokahi manawa a mālama ʻia ka hoʻonohonoho ma hope o ka hoʻomaka ʻana i ka ʻōnaehana.
I kēia manawa hoʻomaka mākou i ka ipu:
# podman run -ti -p 80:80 systemd
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Fedora 29 (Container Image)!
Set hostname to <1b51b684bc99>.
Failed to install release agent, ignoring: Read-only file system
File /usr/lib/systemd/system/systemd-journald.service:26 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Slices.
…
[ OK ] Started The Apache HTTP Server.
ʻO ia wale nō, ke holo nei ka lawelawe:
$ curl localhost
<html xml_lang="en" lang="en">
…
</html>
NĀ MEA: Mai ho'āʻo i kēia ma Docker! Pono ʻoe e hula me ka pahu pahu e hoʻolauna i kēia mau ʻano ipu ma o ka daemon. (E koi ʻia nā kahua a me nā pūʻolo hou e hana i kēia mau hana maʻalahi ma Docker, a i ʻole pono e holo ʻia i loko o kahi pahu pono. No nā kikoʻī, ʻike.
ʻElua mau mea maikaʻi e pili ana iā Podman a me systemd
ʻOi aku ka maikaʻi o Podman ma mua o Docker i nā faila systemd unit
Inā pono e hoʻomaka nā ipu i ka wā e hoʻomaka ai ka ʻōnaehana, a laila hiki iā ʻoe ke hoʻokomo i nā kauoha Podman kūpono i loko o ka faile systemd unit, e hoʻomaka i ka lawelawe a nānā iā ia. Hoʻohana ʻo Podman i ke kumu hoʻohālike fork-exec maʻamau. I nā huaʻōlelo ʻē aʻe, ʻo nā kaʻina hana pahu nā keiki o ke kaʻina Podman, no laila hiki i ka systemd ke nānā maʻalahi iā lākou.
Hoʻohana ʻo Docker i kahi hiʻohiʻona mea kūʻai aku, a hiki ke kau pololei ʻia nā kauoha Docker CLI i kahi faila. Eia naʻe, i ka manawa e hoʻopili ai ka mea kūʻai aku Docker i ka daemon Docker, lilo ia (ka mea kūʻai aku) i kahi kaʻina hana ʻē aʻe stdin a stdout. Ma ka huli ʻana, ʻaʻohe manaʻo o systemd e pili ana i ka pilina ma waena o ka mea kūʻai aku Docker a me ka pahu e holo ana ma lalo o ka mana o ka Docker daemon, a no laila, i loko o kēia hoʻohālike, ʻaʻole hiki i ka systemd ke nānā pono i ka lawelawe.
Ke ho'ā nei i ka ʻōnaehana ma o ke kumu
Hoʻohana pololei ʻo Podman i ka hoʻōla ʻana ma ke kumu. No ka hoʻohana ʻana o Podman i ke kumu hoʻohālike fork-exec, hiki iā ia ke hoʻouna i ke kumu i kāna kaʻina hana ipu keiki. ʻAʻole hiki iā Docker ke hana i kēia no ka mea hoʻohana ʻo ia i kahi hiʻohiʻona client-server.
ʻO ka lawelawe varlink a Podman e hoʻohana ai e kamaʻilio me nā mea kūʻai mamao aku i nā ipu e hoʻāla maoli ʻia ma o kahi kumu. ʻO ka pūʻolo cockpit-podman, i kākau ʻia ma Node.js a me kahi ʻāpana o ka papahana cockpit, hiki i nā poʻe ke launa pū me nā pahu Podman ma o kahi kikowaena pūnaewele. Hoʻouna ka daemon pūnaewele i ka cockpit-podman i nā memo i kahi kumu varlink e hoʻolohe ai ʻo systemd. Hoʻopau ʻo Systemd i ka polokalamu Podman e loaʻa nā memo a hoʻomaka i ka mālama ʻana i nā ipu. ʻO ka hoʻoulu ʻana i ka systemd ma luna o kahi kumu e hoʻopau i ka pono no kahi daemon e holo mau ana i ka wā e hoʻokō ai i nā API mamao.
Eia kekahi, ke kūkulu nei mākou i kahi mea kūʻai aku Podman i kapa ʻia ʻo podman-remote, e hoʻokō ana i ka Podman CLI like akā kāhea iā varlink e holo i nā ipu. Hiki iā Podman-remote ke holo ma luna o nā kau SSH, e ʻae iā ʻoe e launa pū me nā pahu ma nā mīkini like ʻole. Ma hope o ka manawa, hoʻolālā mākou e hiki i ka podman-remote ke kākoʻo iā MacOS a me Windows ma ka ʻaoʻao o Linux, i hiki i nā mea hoʻomohala ma ia mau kahua ke holo i kahi mīkini virtual Linux me Podman varlink e holo ana a loaʻa ka ʻike piha e holo ana nā ipu ma ka mīkini kūloko.
SD_NOTIFY
ʻAe ʻo Systemd iā ʻoe e hoʻopaneʻe i ka hoʻomaka ʻana o nā lawelawe kōkua a hiki i ka hoʻomaka ʻana o ka lawelawe containerized a lākou e koi ai. Hiki iā Podman ke hoʻouna i ka SD_NOTIFY socket i ka lawelawe containerized i hiki i ka lawelawe ke hoʻomaopopo i ka systemd ua mākaukau ia e hana. A eia hou, ʻaʻole hiki iā Docker ke hana i kēia.
Ma nā hoʻolālā
Hoʻolālā mākou e hoʻohui i ke kauoha podman e hoʻokumu i ka systemd CONTAINERID, e hoʻopuka i kahi faila systemd e hoʻokele i kahi pahu kikoʻī i kuhikuhi ʻia. Pono kēia e hana ma nā ʻano kumu ʻole a me nā ʻano kumu ʻole no nā ipu pono ʻole. Ua ʻike mākou i kahi noi no ka holo ʻana o ka systemd-nspawn OCI.
hopena
ʻO ka holo ʻana i ka systemd i loko o kahi pahu kahi pono maopopo. A mahalo iā Podman, ua loaʻa iā mākou kahi pahu runtime ʻaʻole kūʻē me systemd, akā maʻalahi ia e hoʻohana.
Source: www.habr.com