On 07/10/2015 07:27 AM, Colin Walters wrote:
> On Wed, Jul 8, 2015, at 04:30 AM, Tobias Florek wrote:
>> Hi,
>>
>> tldr: add early-docker daemon (a la coreos) to support running
> I think a two-level approach would indeed allow implementing a
> number of nontrivial deployment types. Probably not *all* of them
> though (at least at the current time).
>
> This is possible today without modifying the host by simply
> cp /usr/lib/systemd/system/docker.service
> /etc/systemd/system/early-docker.service
> and making modifications such as pointing storage to /var/lib/early-docker
> etc., right?
> I haven't tried it though.
>
> My current feeling is to keep this discussion open, and to document
> implementations that can be made outside of host modifications right now.
That early docker probably would need to run with host network. With
devmapper, it would probably need its own pool. Or mabye use overlayfs.
Not sure about the socket, use IP instead??. We have a need for a
similar docker split, for different reasons, and we're looking at runc
which seems perfect.
>
>> I need to connect bare-metal atomic hosts via ipsec. That works (with
>> minor quirks) using the privileged ibotty/ipsec-libreswan container.
>> Unfortunately, because it is using docker, it starts pretty late in the
>> boot process. Fortunately I drop sensitive traffic before ipsec is up.
> But you're not fetching the images over ipsec? Just securing
> container-generated
> traffic?
>
