This article explains how you can use the various container technologies available in Fedora and learn about "Systemd-nspawn".
What is a container?
A container is a user-space instance that can run a program or an operating system in an environment that is isolated from the managed container's system (called the host system). This is very similar to the idea of "chroot" or virtual machines. Processes running in containers are managed by the same kernel as the host operating system, but they are isolated from the host file system and other processes.
What is Systemd-nspawn?
The SYSTEMD project believes that container technology should be transformed into a basic part of the desktop and should be integrated with the rest of the user's systems. For this purpose, systemd provides the "systemd-nspawn" tool to create containers using a variety of Linux technologies. It also provides a number of container management tools.
"systemd-nspawn" and "chroot" are similar in many ways, but the former is more powerful. It virtualized the file system, the process tree, and interprocess communication in the customer's system. Its appeal is that it provides a lot of tools for managing containers, such as "Machinectl" for managing containers. Containers run by "Systemd-nspawn" will run on the host system with the systemd component. For example, a container's log can be exported to the log of the host system.
On Fedora 24, "systemd-nspawn" has been detached from the systemd package, so you will need to install the "systemd-container" package. As always, you can use "DNF install Systemd-container" to install.
Create a container
It is easy to create a container using "systemd-nspawn". Suppose you have an application created specifically for Debian and cannot run properly in other distributions. That's not a problem, we can create a container! In order to set up the container to use the latest version of Debian (now Jessie), you need to pick a directory to place your system. I will use the directory "~/debianjessie" for the time being.
Once you have created the directory, you need to run "debootstrap" and you can install it from the Fedora repository. For Debian Jessie, you run the following command to initialize a Debian file system.
$ debootstrap--ARCH=AMD64 Stable ~/debianjessie
The above default your schema is x86_64. If not, you must change the name of the schema to "amd64". You can use "uname-m" to learn about your machine architecture. Once you have set up your root directory, you can use the following command to start your container.
$ SYSTEMD-NSPAWN-BD ~/debianjessie
The container will be ready and running in a few seconds, and you'll notice when you try to log in: You can't use any account on your system. This is because the "systemd-nspawn" virtualization of the user. The fix is simple: Remove "-b" from the previous command. You will go directly to the container's root user's shell. At this point, you can only use the "passwd" command to set the password for root, or use the "adduser" command to add a new user. Once you've set a password or added a good user, you can add the "-B" flag back and continue. You will be entered into the familiar login console, and then you can log in using the Set up authentication information.
This applies to any distributions you want to run in the container, but only if you need to create the system with the correct package manager. For Fedora, you should use DNF rather than debootstrap. To set up a minimized Fedora system, you can run the following command to replace "/absolute/path/" with any location you want the container to hold.
$ sudo DNF--releasever=24--installroot=/absolute/path/install systemd passwd DNF Fedora-release
set up a network
If you try to start a service, but it binds to the port that your host is using, you will notice the problem: Your container is using the same network interface as the host. Fortunately,Systemd-nspawn provides several ways to separate the network from the host.
Local network
The first approach is to use the "--private-network" flag, which defaults to creating only one loopback device. This is ideal for environments where you do not need to use the network, such as building systems and other continuous integration systems.
Multiple network Interfaces
If you have multiple network interface devices, you can use the "--network-interface" flag to assign an interface to the container. To assign "eno1" To my container, I will add the option "--network-interface=eno1". When an interface is assigned to a container, the host cannot use that interface at the same time. The host can use that interface only if the container is completely closed.
shared network Interface
There are other ways to access containers for those of us who do not have additional network equipment. One is to use the "--port" option. This directs one port in the container to the host. The format used is " protocol: Host port: Container Port ", where the protocol can be TCP or UDP,< strong="">"" is a legitimate port of the host, " container port "is a legitimate port in the container. You can omit the protocol, specifying only the host port: the container port . My usual usage is similar to "--port=2222:22". You can use
--network-veth
Enable full, host-only network, which creates a virtual network interface between the host and the container. You can also use
--network-bridge
Bridging the connections between the two.
using the SYSTEMD component
If the system in your container contains "d-bus", you can use the utility provided by SYSTEMD to control and monitor your container. The basic installation of Debian does not include " dbus". If you want to use "dbus" in Debian Jessie, you need to run the command:
Apt Install Dbus
Machinectl
To make it easy to manage containers, SYSTEMD provides themachinectl utility. Using "machinectl", you can use "machinectl login name" To log into a container, use "machinectl status name" To check the status, use " machinectl reboot name"starts the container or uses"machinectl Poweroff name"to close the container.
Other SYSTEMD commands
Most SYSTEMD commands, such as "journalctl", "systemd-analyze", and "systemctl", support the use of the--machine option to specify the container. For example, if you want to view a log of a container named "Foobar," You can use:
Journalctl--machine=foobar
You can also use:
Systemctl--machine=foobar Status Service
To view the status of the service running in this container.
working with SELinux
If you want to use SELinux enforcement mode (Fedora default mode), you need to set the SELinux environment for your container. To do that, you need to run the following two lines of commands on the host system.
$ semanage fcontext-a-T svirt_sandbox_file_t "/path/to/container (/.*)?" $ restorecon-r/path/to/container/
Be sure to replace "/path/to/container" with your container path. For my container "debianjessie", I will run the following command:
$ semanage fcontext-a-T svirt_sandbox_file_t "/home/johnmh/debianjessie (/.*)?" $ restorecon-r/home/johnmh/debianjessie/
Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/
Container technology in Fedora: Systemd-nspawn