libvirt LXC driver --pass-fds

原文http://www.libvirt.org/drvlxc.html#activation

Systemd Socket Activation Integration

The libvirt LXC driver provides the ability to pass across pre-opened filedescriptors when starting LXC guests. This allows for libvirt LXC to supportsystemd's socketactivation capability, where an incoming client connectionin the host OS will trigger the startup of a container, which runs anothercopy of systemd which gets passed the server socket, and then activates theactual service handler in the container.

libvirt lxc支持传递   已经在host os打开的文件描述符 给LXC guests,这允许LXC支持:当host os收到一个客户端的连接请求时,会触发LXC的启动,LXC会运行systems的一个copy,这使得lXC获得传递过来的服务器套接字描述符,从而激活实际的 在LXC中的服务器处理程序。

Let us assume that you already have a LXC guest created, runninga systemd instance as PID 1 inside the container, which has anSSHD service configured. The goal is to automatically activatethe container when the first SSH connection is made. The firststep is to create a couple of unit files for the host OS systemdinstance. The /etc/systemd/system/mycontainer.serviceunit file specifies how systemd will start the libvirt LXC container

假设我们已经有一个LXC guest,在这个容器内配置了sshd(提供ssh服务),并且 在进程pid=1上运行着systemd 实例,一个ssh连接会激活这个container,第一步便是为host os systemd (为什么不是 container systemd instance ? just scontainer systemd instance is a copy from host os systemd instance ?)实例创建一对单元文件。

/etc/systemd/system/mycontainer.service (host文件) unit文件指定 systemd 启动这个libvirt LXC container.


[Unit]
Description=My little container

[Service]
ExecStart=/usr/bin/virsh -c lxc:/// start --pass-fds 3 mycontainer
ExecStop=/usr/bin/virsh -c lxc:/// destroy mycontainer
Type=oneshot
RemainAfterExit=yes  //virsh 在启动container后不关闭
KillMode=none    //virsh 在启动container后不关闭

The --pass-fds 3 argument specifies that the filedescriptor number 3 thatvirsh inherits from systemd,is to be passed into the container. Sincevirsh willexit immediately after starting the container, the RemainAfterExitandKillMode settings must be altered from their defaults.

--pass-fds 3  文件描述符3的exec_on设定导致virsh 继承了来自系统的文件描述符(其实是对应关系,并不一定一致。。。有点不确定)。默认virsh在container启动后关闭,所以需修改参数

KillMode=none   
RemainAfterExit=yes

Next, the /etc/systemd/system/mycontainer.socket unitfile is created to get the host systemd to listen on port 23 forTCP connections. When this unit file is activated by the firstincoming connection, it will cause themycontainer.serviceunit to be activated with the FD corresponding to the listening TCPsocket passed in as FD 3.

[Unit]
Description=The SSH socket of my little container

[Socket]
ListenStream=23

/etc/systemd/system/mycontainer.socket(host文件) 目的是 (is created to get the host systemd to listen on port 23 for
TCP connections.)(host 正常的ssh使用22,但是想通过host连接到contianer的ssh连接会使用23),当第一次连接到达时,/etc/systemd/system/mycontainer.socke被激活,导致/etc/systemd/system/mycontainer.servic
被激活,并得到一个与(被传递接听套接字描述符like FD 3)相对应的描述符。

Port 23 was picked here so that the container doesn't conflict
with the host's SSH which is on the normal port 22. That's it
in terms of host side configuration.
host 正常的ssh使用22,但是想通过host连接到contianer的ssh连接会使用23,所以不会冲突,这是与host内部的配置相一致的。

Inside the container, the /etc/systemd/system/sshd.socket(cintainer 文件)unit file must be created

[Unit]
Description=SSH Socket for Per-Connection Servers

[Socket]
ListenStream=23
Accept=yes

上述配置说明 来自23的套接字连接请求是被允许的。


The ListenStream value listed in this unit file, mustmatch the value used in the host file. When systemd in the containerreceives the pre-opened FD from libvirt during container startup, itlooks at theListenStream values to figure out whichFD to give to which service. The actual service to start is definedby a correspondingly named/etc/systemd/system/sshd@.service

[Unit]
Description=SSH Per-Connection Server for %I

[Service]
ExecStart=-/usr/sbin/sshd -i
StandardInput=socket

 /etc/systemd/system/sshd.socket文件内的ListenStream必须与host file内的保持一致。当container接收到被传递的文件描述符
时,他会算出FD相对应的服务,该服务启动的定义在/etc/systemd/system/sshd@.service中。

Finally, make sure this SSH service is set to start on boot of the container,by running the following command inside the container:

# mkdir -p /etc/systemd/system/sockets.target.wants/
# ln -s /etc/systemd/system/sshd.socket /etc/systemd/system/sockets.target.wants/

This example shows how to activate the container based on an incomingSSH connection. If the container was also configured to have an httpdservice, it may be desirable to activate it upon either an httpd or asshd connection attempt. In this case, themycontainer.socketfile in the host would simply list multiple socket ports. Inside thecontainer a separatexxxxx.socket file would need to becreated for each service, with a correspondingListenStreamvalue set.

运行以下的命令去确信ssh服务被设置在container的引导启动中。

这展示了一个到来的ssh连接怎样去激活containe,如果container支持多个服务,那么我们需要在container内创建多个xxx.socket,并且设置相应的ListenStream。
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值