Sesiside isikhathi silandela isihloko sokusebenzisa i-systemd ezitsheni. Emuva ngo-2014, unjiniyela wethu wezokuphepha uDaniel Walsh wabhala indatshana , futhi eminyakeni embalwa kamuva - enye, eyayibizwa , lapho eveze khona ukuthi isimo asikabi ngcono kakhulu. Ikakhulukazi, wabhala ukuthi "ngeshwa, ngisho neminyaka emibili kamuva, uma usebenzisa i-google "Docker system", into yokuqala efikayo yisihloko sakhe esifanayo esidala. Ngakho sekuyisikhathi sokushintsha okuthile.β Ngaphezu kwalokho, sesike sakhuluma ngakho .
Kulesi sihloko sizobonisa ukuthi yini eshintshile ngokuhamba kwesikhathi nokuthi iPodman ingasisiza kanjani kule ndaba.
Kunezizathu eziningi zokusebenzisa i-systemd ngaphakathi kwesitsha, njenge:
- Iziqukathi ze-Multiservice - abantu abaningi bafuna ukukhipha izinhlelo zabo zesevisi eziningi emishinini ebonakalayo futhi bazisebenzise ezitsheni. Kungaba ngcono, vele, ukwephula izinhlelo ezinjalo zibe ama-microservices, kodwa akuwona wonke umuntu owaziyo ukuthi ungakwenza kanjani lokhu okwamanje noma akanaso isikhathi. Ngakho-ke, ukusebenzisa izinhlelo zokusebenza ezifana nezinsizakalo eziqaliswe i-systemd kusuka kumafayela eyunithi kwenza umqondo ophelele.
- Amafayela Eyunithi Yesistimu - Izinhlelo eziningi ezisebenza ngaphakathi kweziqukathi zakhiwe ngekhodi eyayisebenza ngemishini ebonakalayo noma ebonakalayo. Lezi zinhlelo zokusebenza zinefayela leyunithi elabhalelwa lezi zinhlelo zokusebenza futhi liyaqonda ukuthi kufanele ziqaliswe kanjani. Ngakho-ke kusengcono ukuqala izinsizakalo usebenzisa izindlela ezisekelwayo, kunokugebenga eyakho isevisi ye-init.
- I-Systemd ingumphathi wenqubo. Iphatha izinsiza (ivale, iqale kabusha izinsiza, noma ibulale izinqubo ze-zombie) kangcono kunanoma yiliphi elinye ithuluzi.
Sekushiwo lokho, kunezizathu eziningi zokungasebenzisi i-systemd ezitsheni. Okuyinhloko ukuthi i-systemd/journald ilawula ukuphuma kweziqukathi, namathuluzi afana noma lindela ukuthi iziqukathi zibhale ilogi ngqo ku-stdout naku-stderr. Ngakho-ke, uma uzophatha iziqukathi ngamathuluzi e-orchestration afana nalawa ashiwo ngenhla, kufanele ucabangele ukusebenzisa iziqukathi ezisekelwe ku-systemd. Ukwengeza, abathuthukisi be-Docker ne-Moby bavame ukuphikisa kakhulu ukusebenzisa i-systemd ezitsheni.
Ukufika kwePodman
Siyajabula ukubika ukuthi isimo sesiqhubekele phambili. Ithimba elibhekele ukuphatha iziqukathi eRed Hat linqume ukuthuthukisa . Wathola igama futhi inikeza isikhombimsebenzisi somugqa womyalo ofanayo (CLI) njenge-Docker. Futhi cishe yonke imiyalo ye-Docker ingasetshenziswa ku-Podman ngendlela efanayo. Sivame ukwenza izingqungquthela, esezibizwa manje , futhi isilayidi sokuqala ngqa sibiza ukuthi kubhalwe: alias docker=podman.
Abantu abaningi bayakwenza lokhu.
Mina nePodman yami asimelene neze neziqukathi ezisekelwe ohlelweni. Phela, i-Systemd iwuhlelo olungaphansi lwe-Linux init olusetshenziswa kakhulu, futhi ukungaluvumeli ukuthi lusebenze kahle ezitsheni kusho ukungaziba ukuthi izinkulungwane zabantu zijwayele ukusebenzisa iziqukathi.
UPodman uyazi ukuthi yini okufanele ayenze ukuze i-systemd isebenze kahle esitsheni. Idinga izinto ezifana nokufaka ama-tmpfs ku-/run kanye ne-/tmp. Uthanda ukuba indawo "equkethe" inikwe amandla futhi ulindele izimvume zokubhala engxenyeni yakhe yohlu lwemibhalo yeqembu nakufolda /var/log/journald.
Uma uqala isitsha lapho umyalo wokuqala u-init noma i-systemd, i-Podman imisa ngokuzenzakalelayo ama-tmpfs nama-Cgroups ukuqinisekisa ukuthi i-systemd iqala ngaphandle kwezinkinga. Ukuvimba le modi yokuqalisa ngokuzenzakalelayo, sebenzisa inketho --systemd=false. Sicela uqaphele ukuthi iPodman isebenzisa kuphela imodi ye-systemd uma ibona ukuthi idinga ukusebenzisa umyalo we-systemd noma we-init.
Nali isiqephu semanuwali:
indoda podman run
...-systemd=iqiniso|amanga
Ukuqalisa isiqukathi kumodi ye-systemd. Inikwe amandla ngokuzenzakalela.
Uma usebenzisa i-systemd noma umyalo we-init ngaphakathi kwesiqukathi, i-Podman izomisa amaphoyinti okukhweza we-tmpfs kunkhombandlela elandelayo:
/ run, / run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
Futhi isignali yokumisa ezenzakalelayo izoba SIGRTMIN+3.
Konke lokhu kuvumela i-systemd ukuthi isebenze esitsheni esivaliwe ngaphandle kokulungiswa.
QAPHELA: i-systemd izama ukubhalela kuhlelo lwefayela leqembu. Nokho, i-SELinux ivimbela iziqukathi ekwenzeni lokhu ngokuzenzakalelayo. Ukuze unike amandla ukubhala, nika amandla ipharamitha ye-boolean ye-container_manage_cgroup:
setsebool -P container_manage_cgroup kuyiqiniso
Manje bheka ukuthi i-Dockerfile ibukeka kanjani ekusebenziseni i-systemd esitsheni usebenzisa iPodman:
# cat Dockerfile
FROM fedora
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
Yilokho kuphela.
Manje sihlanganisa isitsha:
# podman build -t systemd .
Sitshela i-SELinux ukuthi ivumele i-systemd ukuthi iguqule ukucushwa kwama-Cgroups:
# setsebool -P container_manage_cgroup true
Ngendlela, abantu abaningi bayakhohlwa ngalesi sinyathelo. Ngenhlanhla, lokhu kudinga ukwenziwa kanye kuphela futhi ukulungiselelwa kuyalondolozwa ngemva kokuqalisa kabusha isistimu.
Manje siqala isiqukathi:
# podman run -ti -p 80:80 systemd
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Fedora 29 (Container Image)!
Set hostname to <1b51b684bc99>.
Failed to install release agent, ignoring: Read-only file system
File /usr/lib/systemd/system/systemd-journald.service:26 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Slices.
β¦
[ OK ] Started The Apache HTTP Server.
Yilokho kuphela, isevisi iyasebenza futhi:
$ curl localhost
<html xml_lang="en" lang="en">
β¦
</html>
QAPHELA: Ungazami lokhu ku-Docker! Lapho usadinga ukudansa ngethamborini ukuze wethule lezi zinhlobo zeziqukathi nge-daemon. (Izinkambu namaphakheji engeziwe kuzodingeka ukwenza konke lokhu kusebenze ngaphandle komthungo ku-Docker, noma kuzodingeka ukuthi kusetshenziswe esitsheni esikhethekile. Ukuze uthole imininingwane, bona .)
Ezinye izinto ezimbalwa ezinhle mayelana nePodman ne-systemd
I-Podman isebenza kangcono kune-Docker kumafayela eyunithi ye-systemd
Uma iziqukathi zidinga ukuqaliswa lapho amabhuzu esistimu, ungavele ufake imiyalo efanelekile ye-Podman kufayela leyunithi ye-systemd, elizoqala isevisi futhi liyiqaphe. I-Podman isebenzisa imodeli evamile ye-fork-exec. Ngamanye amazwi, izinqubo zeziqukathi ziyizingane zenqubo ye-Podman, ngakho-ke i-systemd ingabaqapha kalula.
I-Docker isebenzisa imodeli ye-client-server, futhi imiyalo ye-Docker CLI nayo ingafakwa ngqo kufayela leyunithi. Kodwa-ke, uma iklayenti le-Docker selixhumeke ku-daemon ye-Docker, yona (iklayenti) iba enye inqubo yokucubungula i-stdin ne-stdout. Kanti, i-systemd ayinalo ulwazi mayelana nokuxhumana phakathi kweklayenti le-Docker nesiqukathi esisebenza ngaphansi kokulawulwa kwe-Docker daemon, ngakho-ke, ngaphakathi kwale modeli, i-systemd ngokuyisisekelo ayikwazi ukuqapha isevisi.
Ivula i-systemd ngesokhethi
I-Podman iphatha ukusebenzisa i-socket ngendlela efanele. Ngoba i-Podman isebenzisa imodeli ye-fork-exec, ingadlulisela isokhethi kuzinqubo zayo zesitsha sengane. I-Docker ayikwazi ukwenza lokhu ngoba isebenzisa imodeli yeseva yeklayenti.
Isevisi ye-varlink esetshenziswa iPodman ukuze ixhumane namaklayenti akude kuya ezitsheni empeleni yenziwa isebenze ngesokhethi. Iphakheji ye-cockpit-podman, ebhalwe ku-Node.js kanye nengxenye yephrojekthi ye-cockpit, ivumela abantu ukuthi bahlanganyele neziqukathi ze-Podman ngokusebenzisa isixhumi esibonakalayo sewebhu. Idaemon yewebhu esebenzisa i-cockpit-podman ithumela imilayezo esokhethi ye-varlink lapho i-systemd ilalela khona. I-Systemd bese ivula uhlelo lwe-Podman ukuze lwamukele imilayezo futhi luqale ukuphatha iziqukathi. Ukwenza kusebenze i-systemd phezu kwesokhethi kususa isidingo se-daemon ehlala isebenza lapho kusetshenziswa ama-API akude.
Ukwengeza, sakha elinye iklayenti le-Podman elibizwa nge-podman-remote, esebenzisa iPodman CLI efanayo kodwa ibiza i-varlink ukuze iqhube iziqukathi. Isilawuli kude se-Podman singasebenza phezu kwamaseshini e-SSH, okukuvumela ukuthi uhlanganyele ngokuphephile neziqukathi emishinini ehlukene. Ngokuhamba kwesikhathi, sihlela ukunika amandla isilawuli kude se-podman ukuze sisekele i-MacOS ne-Windows eduze ne-Linux, ukuze abathuthukisi abakulezo zinkundla bakwazi ukusebenzisa umshini we-Linux osebenzisa i-Podman varlink esebenzayo futhi babe nolwazi olugcwele lokuthi iziqukathi zisebenza emshinini wendawo.
SD_NOTIFY
I-Systemd ikuvumela ukuthi uhlehlise ukwethulwa kwezinsizakalo ezisizayo kuze kube yilapho isevisi eneziqukathi eziyidingayo iqala. I-Podman ingadlulisela isokhethi le-SD_NOTIFY kusevisi efakwe esitsheni ukuze isevisi yazise i-systemd ukuthi isilungele ukusebenza. Futhi futhi, i-Docker, esebenzisa imodeli yeseva yeklayenti, ayikwazi ukwenza lokhu.
Ezinhlelweni
Sihlela ukwengeza umyalo we-podman ukukhiqiza i-systemd CONTAINERID, ezokhiqiza ifayela leyunithi ye-systemd ukuphatha isiqukathi esithile esicacisiwe. Lokhu kufanele kusebenze kuzo zombili izindlela eziyimpande nezingenazimpande zeziqukathi ezingavumelekile. Sibone nesicelo sesikhathi sokusebenza esihambisana ne-OCI se-systemd-nspawn.
isiphetho
Ukugijima i-systemd esitsheni kuyisidingo esiqondakalayo. Futhi ngenxa ye-Podman, ekugcineni sinesikhathi sokusebenza sesitsha esingangqubuzani ne-systemd, kodwa esenza kube lula ukuyisebenzisa.
Source: www.habr.com