Sesiside isikhathi silandela isihloko sokusebenzisa i-systemd ezitsheni. Emuva ngo-2014, unjiniyela wethu wezokuphepha uDaniel Walsh wabhala indatshana
Kulesi sihloko sizobonisa ukuthi yini eshintshile ngokuhamba kwesikhathi nokuthi iPodman ingasisiza kanjani kule ndaba.
Kunezizathu eziningi zokusebenzisa i-systemd ngaphakathi kwesitsha, njenge:
- Iziqukathi ze-Multiservice - abantu abaningi bafuna ukukhipha izinhlelo zabo zesevisi eziningi emishinini ebonakalayo futhi bazisebenzise ezitsheni. Kungaba ngcono, vele, ukwephula izinhlelo ezinjalo zibe ama-microservices, kodwa akuwona wonke umuntu owaziyo ukuthi ungakwenza kanjani lokhu okwamanje noma akanaso isikhathi. Ngakho-ke, ukusebenzisa izinhlelo zokusebenza ezifana nezinsizakalo eziqaliswe i-systemd kusuka kumafayela eyunithi kwenza umqondo ophelele.
- Amafayela Eyunithi Yesistimu - Izinhlelo eziningi ezisebenza ngaphakathi kweziqukathi zakhiwe ngekhodi eyayisebenza ngemishini ebonakalayo noma ebonakalayo. Lezi zinhlelo zokusebenza zinefayela leyunithi elabhalelwa lezi zinhlelo zokusebenza futhi liyaqonda ukuthi kufanele ziqaliswe kanjani. Ngakho-ke kusengcono ukuqala izinsizakalo usebenzisa izindlela ezisekelwayo, kunokugebenga eyakho isevisi ye-init.
- I-Systemd ingumphathi wenqubo. Iphatha izinsiza (ivale, iqale kabusha izinsiza, noma ibulale izinqubo ze-zombie) kangcono kunanoma yiliphi elinye ithuluzi.
Sekushiwo lokho, kunezizathu eziningi zokungasebenzisi i-systemd ezitsheni. Okuyinhloko ukuthi i-systemd/journald ilawula ukuphuma kweziqukathi, namathuluzi afana
Ukufika kwePodman
Siyajabula ukubika ukuthi isimo sesiqhubekele phambili. Ithimba elibhekele ukuphatha iziqukathi eRed Hat linqume ukuthuthukisa
Abantu abaningi bayakwenza lokhu.
Mina nePodman yami asimelene neze neziqukathi ezisekelwe ohlelweni. Phela, i-Systemd iwuhlelo olungaphansi lwe-Linux init olusetshenziswa kakhulu, futhi ukungaluvumeli ukuthi lusebenze kahle ezitsheni kusho ukungaziba ukuthi izinkulungwane zabantu zijwayele ukusebenzisa iziqukathi.
UPodman uyazi ukuthi yini okufanele ayenze ukuze i-systemd isebenze kahle esitsheni. Idinga izinto ezifana nokufaka ama-tmpfs ku-/run kanye ne-/tmp. Uthanda ukuba indawo "equkethe" inikwe amandla futhi ulindele izimvume zokubhala engxenyeni yakhe yohlu lwemibhalo yeqembu nakufolda /var/log/journald.
Uma uqala isitsha lapho umyalo wokuqala u-init noma i-systemd, i-Podman imisa ngokuzenzakalelayo ama-tmpfs nama-Cgroups ukuqinisekisa ukuthi i-systemd iqala ngaphandle kwezinkinga. Ukuvimba le modi yokuqalisa ngokuzenzakalelayo, sebenzisa inketho --systemd=false. Sicela uqaphele ukuthi iPodman isebenzisa kuphela imodi ye-systemd uma ibona ukuthi idinga ukusebenzisa umyalo we-systemd noma we-init.
Nali isiqephu semanuwali:
indoda podman run
...-systemd=iqiniso|amanga
Ukuqalisa isiqukathi kumodi ye-systemd. Inikwe amandla ngokuzenzakalela.
Uma usebenzisa i-systemd noma umyalo we-init ngaphakathi kwesiqukathi, i-Podman izomisa amaphoyinti okukhweza we-tmpfs kunkhombandlela elandelayo:
/ run, / run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal
Futhi isignali yokumisa ezenzakalelayo izoba SIGRTMIN+3.
Konke lokhu kuvumela i-systemd ukuthi isebenze esitsheni esivaliwe ngaphandle kokulungiswa.
QAPHELA: i-systemd izama ukubhalela kuhlelo lwefayela leqembu. Nokho, i-SELinux ivimbela iziqukathi ekwenzeni lokhu ngokuzenzakalelayo. Ukuze unike amandla ukubhala, nika amandla ipharamitha ye-boolean ye-container_manage_cgroup:
setsebool -P container_manage_cgroup kuyiqiniso
Manje bheka ukuthi i-Dockerfile ibukeka kanjani ekusebenziseni i-systemd esitsheni usebenzisa iPodman:
# cat Dockerfile
FROM fedora
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
Yilokho kuphela.
Manje sihlanganisa isitsha:
# podman build -t systemd .
Sitshela i-SELinux ukuthi ivumele i-systemd ukuthi iguqule ukucushwa kwama-Cgroups:
# setsebool -P container_manage_cgroup true
Ngendlela, abantu abaningi bayakhohlwa ngalesi sinyathelo. Ngenhlanhla, lokhu kudinga ukwenziwa kanye kuphela futhi ukulungiselelwa kuyalondolozwa ngemva kokuqalisa kabusha isistimu.
Manje siqala isiqukathi:
# podman run -ti -p 80:80 systemd
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Fedora 29 (Container Image)!
Set hostname to <1b51b684bc99>.
Failed to install release agent, ignoring: Read-only file system
File /usr/lib/systemd/system/systemd-journald.service:26 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Slices.
β¦
[ OK ] Started The Apache HTTP Server.
Yilokho kuphela, isevisi iyasebenza futhi:
$ curl localhost
<html xml_lang="en" lang="en">
β¦
</html>
QAPHELA: Ungazami lokhu ku-Docker! Lapho usadinga ukudansa ngethamborini ukuze wethule lezi zinhlobo zeziqukathi nge-daemon. (Izinkambu namaphakheji engeziwe kuzodingeka ukwenza konke lokhu kusebenze ngaphandle komthungo ku-Docker, noma kuzodingeka ukuthi kusetshenziswe esitsheni esikhethekile. Ukuze uthole imininingwane, bona
Ezinye izinto ezimbalwa ezinhle mayelana nePodman ne-systemd
I-Podman isebenza kangcono kune-Docker kumafayela eyunithi ye-systemd
Uma iziqukathi zidinga ukuqaliswa lapho amabhuzu esistimu, ungavele ufake imiyalo efanelekile ye-Podman kufayela leyunithi ye-systemd, elizoqala isevisi futhi liyiqaphe. I-Podman isebenzisa imodeli evamile ye-fork-exec. Ngamanye amazwi, izinqubo zeziqukathi ziyizingane zenqubo ye-Podman, ngakho-ke i-systemd ingabaqapha kalula.
I-Docker isebenzisa imodeli ye-client-server, futhi imiyalo ye-Docker CLI nayo ingafakwa ngqo kufayela leyunithi. Kodwa-ke, uma iklayenti le-Docker selixhumeke ku-daemon ye-Docker, yona (iklayenti) iba enye inqubo yokucubungula i-stdin ne-stdout. Kanti, i-systemd ayinalo ulwazi mayelana nokuxhumana phakathi kweklayenti le-Docker nesiqukathi esisebenza ngaphansi kokulawulwa kwe-Docker daemon, ngakho-ke, ngaphakathi kwale modeli, i-systemd ngokuyisisekelo ayikwazi ukuqapha isevisi.
Ivula i-systemd ngesokhethi
I-Podman iphatha ukusebenzisa i-socket ngendlela efanele. Ngoba i-Podman isebenzisa imodeli ye-fork-exec, ingadlulisela isokhethi kuzinqubo zayo zesitsha sengane. I-Docker ayikwazi ukwenza lokhu ngoba isebenzisa imodeli yeseva yeklayenti.
Isevisi ye-varlink esetshenziswa iPodman ukuze ixhumane namaklayenti akude kuya ezitsheni empeleni yenziwa isebenze ngesokhethi. Iphakheji ye-cockpit-podman, ebhalwe ku-Node.js kanye nengxenye yephrojekthi ye-cockpit, ivumela abantu ukuthi bahlanganyele neziqukathi ze-Podman ngokusebenzisa isixhumi esibonakalayo sewebhu. Idaemon yewebhu esebenzisa i-cockpit-podman ithumela imilayezo esokhethi ye-varlink lapho i-systemd ilalela khona. I-Systemd bese ivula uhlelo lwe-Podman ukuze lwamukele imilayezo futhi luqale ukuphatha iziqukathi. Ukwenza kusebenze i-systemd phezu kwesokhethi kususa isidingo se-daemon ehlala isebenza lapho kusetshenziswa ama-API akude.
Ukwengeza, sakha elinye iklayenti le-Podman elibizwa nge-podman-remote, esebenzisa iPodman CLI efanayo kodwa ibiza i-varlink ukuze iqhube iziqukathi. Isilawuli kude se-Podman singasebenza phezu kwamaseshini e-SSH, okukuvumela ukuthi uhlanganyele ngokuphephile neziqukathi emishinini ehlukene. Ngokuhamba kwesikhathi, sihlela ukunika amandla isilawuli kude se-podman ukuze sisekele i-MacOS ne-Windows eduze ne-Linux, ukuze abathuthukisi abakulezo zinkundla bakwazi ukusebenzisa umshini we-Linux osebenzisa i-Podman varlink esebenzayo futhi babe nolwazi olugcwele lokuthi iziqukathi zisebenza emshinini wendawo.
SD_NOTIFY
I-Systemd ikuvumela ukuthi uhlehlise ukwethulwa kwezinsizakalo ezisizayo kuze kube yilapho isevisi eneziqukathi eziyidingayo iqala. I-Podman ingadlulisela isokhethi le-SD_NOTIFY kusevisi efakwe esitsheni ukuze isevisi yazise i-systemd ukuthi isilungele ukusebenza. Futhi futhi, i-Docker, esebenzisa imodeli yeseva yeklayenti, ayikwazi ukwenza lokhu.
Ezinhlelweni
Sihlela ukwengeza umyalo we-podman ukukhiqiza i-systemd CONTAINERID, ezokhiqiza ifayela leyunithi ye-systemd ukuphatha isiqukathi esithile esicacisiwe. Lokhu kufanele kusebenze kuzo zombili izindlela eziyimpande nezingenazimpande zeziqukathi ezingavumelekile. Sibone nesicelo sesikhathi sokusebenza esihambisana ne-OCI se-systemd-nspawn.
isiphetho
Ukugijima i-systemd esitsheni kuyisidingo esiqondakalayo. Futhi ngenxa ye-Podman, ekugcineni sinesikhathi sokusebenza sesitsha esingangqubuzani ne-systemd, kodwa esenza kube lula ukuyisebenzisa.
Source: www.habr.com