On Mon, 27.10.14 11:24, Rich Freeman (r-syst...@thefreemanclan.net) wrote: > On Mon, Oct 27, 2014 at 10:49 AM, Lennart Poettering > <lenn...@poettering.net> wrote: > > In general I think making use of socket notification here would be the > > much better option, as it removes the entire need for ordering things > > here. nspawn already support socket activation just fine. If your > > mysql container would use this, then you could start the entire mysql > > container at the same time as the mysql client without any further > > complexity or synchronization, and it would just work. > > Is socket activation supported for nspawn containers that use network > namespaces?
Yes. The socket passed in doesn't have to be from the same namespace as the container runs in. It's kinda cool, as this allows locking down containers pretty strictly, but still granting them access on some very specific listening socket. (Note though that ymmv on this, because depending on the software you use it might want to reverse-dns lookup incomoing connections, and that would fail if the container doesn't have network access to do DNS... That said, if mysql would do reverse-dns of all incoming connections it would be really stupid...) > Incoming connections would not be pointed at the host IP, > but at the container's IP, which the host wouldn't otherwise be > listening on since the interface for it does not yet exist. > > Or do I need to move everything to different port numbers and use the host IP? Network namespaces are relevant for the process that originally binds the sockets. In the case of socket-activated containers that would be the host. If you then pass the fds into the containers and those are locked into their own namespaces, then any sockets they create and bind would be from their own namepsace, but the one they got passed in would still be from the original host namespace. If they then accept a connection on that passed-in socket that connection socket would also be part of the same host namespace -- not of the containers. Hence, two rules: a) if you have a socket, then all sockets you derive from it via accept() stay part of the same namespace as that original socket. b) any new sockets you generate via socket() are part of whatever network namespace your process is currently in. Hope that makes sense? Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel