原文http://www.libvirt.org/drvlxc.html#activation
Systemd Socket Activation Integration
The libvirt LXC driver provides the ability to pass across pre-opened filedescriptors when starting LXC guests. This allows for libvirt LXC to supportsystemd's socketactivation capability, where an incoming client connectionin the host OS will trigger the startup of a container, which runs anothercopy of systemd which gets passed the server socket, and then activates theactual service handler in the container.
libvirt lxc支持传递 已经在host os打开的文件描述符 给LXC guests,这允许LXC支持:当host os收到一个客户端的连接请求时,会触发LXC的启动,LXC会运行systems的一个copy,这使得lXC获得传递过来的服务器套接字描述符,从而激活实际的 在LXC中的服务器处理程序。
Let us assume that you already have a LXC guest created, runninga systemd instance as PID 1 inside the container, which has anSSHD service configured. The goal is to automatically activatethe container when the first SSH connection is made. The firststep is to create a couple of unit files for the host OS systemdinstance. The /etc/systemd/system/mycontainer.service
unit file specifies how systemd will start the libvirt LXC container
假设我们已经有一个LXC guest,在这个容器内配置了sshd(提供ssh服务),并且 在进程pid=1上运行着systemd 实例,一个ssh连接会激活这个container,第一步便是为host os systemd (为什么不是 container systemd instance ? just scontainer systemd instance is a copy from host os systemd instance ?)实例创建一对单元文件。
/etc/systemd/system/mycontainer.service
(host文件) unit文件指定 systemd 启动这个libvirt LXC container.
[Unit] Description=My little container [Service] ExecStart=/usr/bin/virsh -c lxc:/// start --pass-fds 3 mycontainer ExecStop=/usr/bin/virsh -c lxc:/// destroy mycontainer Type=oneshot RemainAfterExit=yes //virsh 在启动container后不关闭 KillMode=none //virsh 在启动container后不关闭
The --pass-fds 3
argument specifies that the filedescriptor number 3 thatvirsh
inherits from systemd,is to be passed into the container. Sincevirsh
willexit immediately after starting the container, the RemainAfterExit
andKillMode
settings must be altered from their defaults.
--pass-fds 3
文件描述符3的exec_on设定导致virsh 继承了来自系统的文件描述符(其实是对应关系,并不一定一致。。。有点不确定)。默认virsh在container启动后关闭,所以需修改参数
KillMode=none
RemainAfterExit=yes
Next, the /etc/systemd/system/mycontainer.socket
unitfile is created to get the host systemd to listen on port 23 forTCP connections. When this unit file is activated by the firstincoming connection, it will cause themycontainer.service
unit to be activated with the FD corresponding to the listening TCPsocket passed in as FD 3.
[Unit] Description=The SSH socket of my little container [Socket] ListenStream=23/etc/systemd/system/mycontainer.socket(host文件)
目的是 (is created to get the host systemd to listen on port 23 for TCP connections.)(host 正常的ssh使用22,但是想通过host连接到contianer的ssh连接会使用23),当第一次连接到达时,/etc/systemd/system/mycontainer.socke被激活,导致
)相对应的描述符。 Port 23 was picked here so that the container doesn't conflict with the host's SSH which is on the normal port 22. That's it in terms of host side configuration./etc/systemd/system/mycontainer.servic
被激活,并得到一个与(被传递接听套接字描述符like FD 3
host 正常的ssh使用22,但是想通过host连接到contianer的ssh连接会使用23,所以不会冲突,这是与host内部的配置相一致的。
Inside the container, the /etc/systemd/system/sshd.socket(cintainer 文件)
unit file must be created
[Unit] Description=SSH Socket for Per-Connection Servers [Socket] ListenStream=23 Accept=yes 上述配置说明 来自23的套接字连接请求是被允许的。
The ListenStream
value listed in this unit file, mustmatch the value used in the host file. When systemd in the containerreceives the pre-opened FD from libvirt during container startup, itlooks at theListenStream
values to figure out whichFD to give to which service. The actual service to start is definedby a correspondingly named/etc/systemd/system/sshd@.service
[Unit] Description=SSH Per-Connection Server for %I [Service] ExecStart=-/usr/sbin/sshd -i StandardInput=socket/etc/systemd/system/sshd.socket
文件内的ListenStream必须与host file内的保持一致。当container接收到被传递的文件描述符 时,他会算出FD相对应的服务,该服务启动的定义在/etc/systemd/system/sshd@.service
中。
Finally, make sure this SSH service is set to start on boot of the container,by running the following command inside the container:
# mkdir -p /etc/systemd/system/sockets.target.wants/ # ln -s /etc/systemd/system/sshd.socket /etc/systemd/system/sockets.target.wants/
This example shows how to activate the container based on an incomingSSH connection. If the container was also configured to have an httpdservice, it may be desirable to activate it upon either an httpd or asshd connection attempt. In this case, themycontainer.socket
file in the host would simply list multiple socket ports. Inside thecontainer a separatexxxxx.socket
file would need to becreated for each service, with a correspondingListenStream
value set.
运行以下的命令去确信ssh服务被设置在container的引导启动中。