Kudala silandela isihloko sokusetyenziswa kwe-systemd kwizikhongozeli ixesha elide. Emuva kwi-2014, injineli yethu yezokhuseleko uDaniel Walsh wabhala inqaku , kwaye kwiminyaka embalwa kamva - enye, eyayibizwa , apho wathi imeko ayizange iphucuke kangako. Ngokukodwa, wabhala ukuba "ngelishwa, nangona iminyaka emibini kamva, ukuba u-google "inkqubo ye-Docker", into yokuqala efikayo yinqaku lakhe elifanayo elidala. Lixesha lokutshintsha into. β Ukongeza, sele sithethile .
Kweli nqaku siza kubonisa into etshintshileyo ekuhambeni kwexesha kunye nendlela iPodman enokusinceda ngayo kulo mbandela.
Kukho izizathu ezininzi zokusebenzisa inkqubo ngaphakathi kwesikhongozeli, esinje:
- Izikhongozeli zeenkonzo ezininzi -abantu abaninzi bafuna ukutsala usetyenziso lwabo lweenkonzo ezininzi ngaphandle koomatshini ababonakalayo kwaye baziqhube kwizikhongozeli. Kuya kuba ngcono, ewe, ukwaphula usetyenziso olunjalo kwiinkonzo ezincinci, kodwa ayinguye wonke umntu owaziyo ukwenza oku okwangoku okanye akanalo ixesha. Ke ngoko, ukuqhuba usetyenziso olunje ngeenkonzo eziqaliswe yi-systemd kwiifayile zeyunithi kwenza ingqiqo epheleleyo.
- Iifayile zeYunithi yeNkqubo -Iinkqubo ezininzi ezisebenza ngaphakathi kwizikhongozeli zakhiwe ngekhowudi ebikade isebenza koomatshini ababonakalayo okanye bomzimba. Ezi zicelo zinefayile yeyunithi eyabhalelwa ezi zicelo kwaye iyayiqonda indlela emaziqaliswe ngayo. Ngoko kusengcono ukuqala iinkonzo usebenzisa iindlela ezixhaswayo, kunokuba uqhekeze inkonzo yakho ye-init.
- I-Systemd ngumphathi wenkqubo. Ilawula iinkonzo (ivale, iqalise kwakhona iinkonzo, okanye ibulale iinkqubo ze-zombie) ngcono kunaso nasiphi na esinye isixhobo.
Oko kuthethiweyo, zininzi izizathu zokungaqhubeki inkqubo kwizikhongozeli. Eyona nto iphambili kukuba i-systemd/journald ilawula imveliso yezikhongozeli, kunye nezixhobo ezinje okanye lindela izikhongozeli ukuba zibhale ilogi ngqo kwi-stdout kunye ne-stderr. Ke ngoko, ukuba uza kulawula izikhongozeli ngezixhobo zokucula ezifana nezi zikhankanywe ngasentla, kuya kufuneka ucinge nzulu ngokusebenzisa izikhongozeli ezisekwe kwisistim. Ukongeza, abaphuhlisi beDocker kunye neMoby bahlala bechasa ngamandla ukusebenzisa i-systemd kwizikhongozeli.
Ukuza kwePodman
Siyavuya ukunika ingxelo yokuba imeko iye yaqhubela phambili ekugqibeleni. Iqela elinoxanduva lokuqhuba izikhongozeli eRed Hat ligqibe ekubeni liphuhlise . Wafumana igama kwaye inikeza ujongano lomgca womyalelo ofanayo (CLI) njengeDocker. Kwaye phantse yonke imiyalelo yeDocker inokusetyenziswa kwiPodman ngendlela efanayo. Sihlala siqhuba iisemina, ezibizwa ngoku , kunye nesona silayidi sokuqala sibiza ukubhala: alias docker=podman.
Abantu abaninzi bayakwenza oku.
Mna kunye nePodman yam asikho ngandlela ithile ngokuchasene nezikhongozeli ezisekwe kwisistim. Emva kwayo yonke loo nto, i-Systemd yeyona nto isetyenziswa kakhulu kwi-Linux init subsystem, kwaye ukungayivumeli ukuba isebenze kakuhle kwizikhongozeli kuthetha ukungahoyi ukuba amawaka abantu aqhelene njani nokuqhuba izikhongozeli.
UPodman uyayazi into emayenziwe ukwenza inkqubo isebenze ngokufanelekileyo kwisikhongozeli. Ifuna izinto ezifana nokunyuka kwe-tmpfs kwi-/run kunye / ne-tmp. Uthanda ukuba nendawo "yeziqulatho" yenziwe kwaye ulindele iimvume zokubhala kwindawo yakhe yolawulo lweqela kunye nakwi/var/log/journald folder.
Xa uqala isikhongozeli apho umyalelo wokuqala uyi-init okanye i-systemd, iPodman iqwalasela ngokuzenzekelayo i-tmpfs kunye namaQela ukuqinisekisa ukuba i-systemd iqala ngaphandle kweengxaki. Ukuvala le ndlela yokuqalisa ngokuzenzekelayo, sebenzisa i --systemd=false ukhetho. Nceda uqaphele ukuba iPodman isebenzisa kuphela indlela yenkqubo xa ibona ukuba ifuna ukusebenzisa i-systemd okanye init umyalelo.
Nantsi isicatshulwa esisuka kwimanyuwali:
indoda podman baleka
...βsystemd=yinyaniso|bubuxoki
Ukuqhuba isikhongozeli kwimo yenkqubo. Yenza ngokuzenzekelayo.
Ukuba usebenzisa i-systemd okanye umyalelo we-init ngaphakathi kwesikhongozeli, iPodman izakuqwalasela iindawo zokunyuka zetmpfs kolu luhlu lulandelayo lwabalawuli:
/ run, / run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
Kwakhona umqondiso wokumisa omiselweyo uya kuba SIGRTMIN+3.
Konke oku kuvumela ukuba inkqubo isebenze kwisingxobo esivaliweyo ngaphandle kohlengahlengiso.
QAPHELA: i-systemd izama ukubhala kwindlela yefayile yeqela. Nangona kunjalo, i-SELinux inqanda izikhongozeli ekwenzeni oku ngokungagqibekanga. Ukwenza ukubhala, vula icontainer_manage_cgroup boolean parameter:
setebool -P container_manage_cgroup yinyani
Ngoku jonga ukuba iDockerfile ijongeka njani ekusebenzeni kwe-systemd kwisitya usebenzisa iPodman:
# cat Dockerfile
FROM fedora
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
Kuko konke.
Ngoku sihlanganisa i-container:
# podman build -t systemd .
Sixelela i-SELinux ukuba ivumele i-systemd iguqule uqwalaselo lwamaQela:
# setsebool -P container_manage_cgroup true
Ngendlela, abantu abaninzi bayakhohlwa ngeli nyathelo. Ngethamsanqa, oku kufuneka kwenziwe kanye kuphela kwaye isicwangciso sigcinwe emva kokuqalisa inkqubo.
Ngoku siqala nje isitya:
# podman run -ti -p 80:80 systemd
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Fedora 29 (Container Image)!
Set hostname to <1b51b684bc99>.
Failed to install release agent, ignoring: Read-only file system
File /usr/lib/systemd/system/systemd-journald.service:26 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Slices.
β¦
[ OK ] Started The Apache HTTP Server.
Yiyo loo nto, inkonzo iphezulu kwaye iyasebenza:
$ curl localhost
<html xml_lang="en" lang="en">
β¦
</html>
QAPHELA: Sukuzama oku kwiDocker! Apho kusafuneka udanise ngentambula ukuze uqalise ezi ntlobo zezikhongozeli ngedaemon. (Imimandla eyongezelelweyo kunye neepakethi ziya kufuneka ukwenza konke oku kusebenze ngaphandle komthungo kwi-Docker, okanye kuya kufuneka ukuba iqhutywe kwisingxobo esikhethekileyo. Ngeenkcukacha, bona .)
Izinto ezimbalwa ezipholileyo malunga nePodman kunye ne-systemd
IPodman isebenza ngcono kuneDocker kwiifayile zeyunithi ye-systemd
Ukuba izikhongozeli kufuneka ziqalwe xa isixokelelwano siqala, ngoko ungafaka ngokulula imiyalelo efanelekileyo yePodman kwifayile yeyunithi yenkqubo, eya kuqalisa inkonzo kwaye ibeke iliso. I-Podman isebenzisa imodeli eqhelekileyo ye-fork-exec. Ngamanye amazwi, iinkqubo zesikhongozeli ngabantwana benkqubo yePodman, ngoko ke i-systemd inokuzibeka esweni ngokulula.
IDocker isebenzisa imodeli yomncedisi womxhasi, kwaye imiyalelo yeDocker CLI inokubekwa ngokuthe ngqo kwifayile yeyunithi. Nangona kunjalo, xa umxhasi weDocker eqhagamshele kwi-daemon ye-Docker, yona (umxhasi) iba yenye inkqubo yokuphatha i-stdin kunye ne-stdout. Ngapha koko, i-systemd ayinalo nofifi malunga noqhakamshelwano phakathi komthengi we-Docker kunye nesikhongozeli esisebenza phantsi kolawulo lwe-Docker daemon, kwaye ke, ngaphakathi kwale modeli, i-systemd ngokusisiseko ayinako ukubeka esweni inkonzo.
Ivula inkqubo nge socket
I-Podman ibamba ukusebenza nge-socket ngokuchanekileyo. Ngenxa yokuba iPodman isebenzisa imodeli ye-fork-exec, inokudlulisa isokhethi kwiinkqubo zesikhongozeli somntwana. I-Docker ayikwazi ukwenza oku kuba isebenzisa imodeli yomncedisi womxhasi.
Inkonzo ye-varlink esetyenziswa nguPodman ukunxibelelana nabathengi abakude kwiikhonteyina ivulwe ngesokethi. Iphakheji ye-cockpit-podman, ebhalwe kwi-Node.js kunye nenxalenye yeprojekthi ye-cockpit, ivumela abantu ukuba badibanise nezikhongozeli zePodman ngokusebenzisa ujongano lwewebhu. Idaemon yewebhu eqhuba i-cockpit-podman ithumela imiyalezo kwi-varlink socket emamelayo kwi-systemd. I-Systemd emva koko ivule inkqubo yePodman ukufumana imiyalezo kwaye iqalise ukulawula izikhongozeli. Ukwenza i-systemd isebenze phezu kwesokethi kuphelisa imfuno yedaemon eqhuba rhoqo xa uphumeza ii-API ezikude.
Ukongezelela, siphuhlisa omnye umxhasi wePodman obizwa ngokuba yi-podman-remote, esebenzisa iPodman CLI efanayo kodwa ubiza i-varlink ukuqhuba izitya. I-Podman-ekude inokuqhuba ngaphezulu kweeseshoni ze-SSH, ikuvumela ukuba udibane ngokukhuselekileyo nezikhongozeli koomatshini abahlukeneyo. Ngokuhamba kwexesha, siceba ukwenza i-podman-remote ikwazi ukuxhasa iMacOS kunye neWindows ecaleni kweLinux, ukuze abaphuhlisi kula maqonga bakwazi ukuqhuba umatshini weLinux wenyani kunye nePodman varlink esebenzayo kwaye babe namava apheleleyo okuba izikhongozeli zisebenza kumatshini wendawo.
SD_YAZI
I-Systemd ikuvumela ukuba uhlehlise ukuqaliswa kweenkonzo ezincedisayo de inkonzo efakwe kwisingxobo abayifunayo iqale. I-Podman inokudlulisa i-SD_NOTIFY isokethi kwinkonzo yesikhongozeli ukuze inkonzo yazise i-systemd ukuba ikulungele ukusebenza. Kwaye kwakhona, iDocker, esebenzisa imodeli yomncedisi womxhasi, ayinakuyenza le nto.
Kwizicwangciso
Siceba ukongeza umyalelo we-podman ukuvelisa i-systemd CONTINERID, eya kuvelisa ifayile yeyunithi ye-systemd ukulawula isitya esithile esicacisiweyo. Oku kufuneka kusebenze kuzo zombini iingcambu kunye neendlela ezingenangcambu kwizikhongozeli ezingenalungelo. Siye sabona nesicelo se-OCI-ehambelanayo ne-systemd-nspawn runtime.
isiphelo
Ukubaleka inkqubo kwisikhongozeli kuyimfuno eqondakalayo. Kwaye enkosi kwiPodman, ekugqibeleni sinento yokuqhuba isikhongozeli esingangqubaniyo ne-systemd, kodwa yenza kube lula ukuyisebenzisa.
umthombo: www.habr.com