[libvirt] [PATCH] Document use of systemd socket activation

Mon Aug 12 15:35:37 UTC 2013

On 08/12/2013 09:03 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> 
> Add to the docs/drvlxc.html.in documentation to describe how to
> configure systemd to auto-activate a container when a client
> connects to a socket
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  docs/drvlxc.html.in | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 119 insertions(+)

> 
> +
> +<p>
> +Lets assume that you already have a LXC guest created, running

s/Lets/Let's/

s/a LXC/an LXC/ ?  (depends on whether you pronounce it "ell-ex-cee"
instead of something shorter such as "licks")

> +a systemd instance as PID 1 inside the container, which has an
> +SSHD service configured. The goal is to automatically activate
> +the container when the first SSH connection is made. The first
> +step is to create a couple of unit files for the host OS systemd
> +instance. The <code>/etc/systemd/system/mycontainer.service</code>
> +unit file specifies how systemd will start the libvirt LXC container
> +</p>
> +
> +<pre>
> +[Unit]
> +Description=My little container
> +
> +[Service]
> +[Service]

Duplicate line.

> +ExecStart=/usr/bin/virsh -c lxc:/// start --pass-fds 3 mycontainer
> +ExecStop=/usr/bin/virsh -c lxc:/// destroy mycontainer
> +Type=oneshot
> +RemainAfterExit=yes
> +KillMode=none
> +</pre>
> +
> +<p>
> +The <code>--pass-fds 3</code> argument specifies that the file
> +descriptor number 3 that <code>virsh</code> inherits from systemd,
> +is to be passed into the container. Since <code>virsh</code>  will

Unneeded double space before 'will'

> +exit immediately after starting the container, the <code>RemainAfterExit</code>
> +and <code>KillMode</code> settings must be altered from their defaults.
> +</p>
> +
> +<p>
> +Next, the <code>/etc/systemd/system/mycontainer.socket</code> unit
> +file is created to get the host systemd to listen on port 23 for
> +TCP connections. When this unit file is activated by the first
> +incoming connection, it will cause the <code>mycontainer.service</code>
> +unit to be activated with the FD coresponding to the listening TCP

s/coresponding/corresponding/

> +socket passed in as FD 3.
> +</p>
> +
> +<pre>
> +[Unit]
> +Description=The SSH socket of my little container
> +
> +[Socket]
> +ListenStream=23
> +</pre>
> +
> +<p>
> +Port 23 was picked here so that the container doesn't conflict
> +with the host's SSH which is on the normal port 22. That's it
> +in terms of host side configuration.
> +</p>
> +
> +<p>
> +Inside the container, the <code>/etc/systemd/system/sshd.socket</code>
> +unit file must be created
> +</p>
> +
> +<pre>
> +[Unit]
> +Description=SSH Socket for Per-Connection Servers
> +
> +[Socket]
> +ListenStream=23
> +Accept=yes
> +</pre>
> +
> +<p>
> +The <code>ListenStream</code> value listed in this unit file, must
> +match the value used in the host file. When systemd in the container
> +receives the pre-opened FD from libvirt during container startup, it
> +looks at the <code>ListenStream</code> values to figure out which
> +FD to give to which servie. The actual service to start is defined

s/servie/service/

> +by a correspondingly named <code>/etc/systemd/system/sshd at .service</code>
> +</p>
> +
> +<pre>
> +[Unit]
> +Description=SSH Per-Connection Server for %I
> +
> +[Service]
> +ExecStart=-/usr/sbin/sshd -i
> +StandardInput=socket
> +</pre>
> +
> +<p>
> +Finally, make sure this SSH service is set to start on boot of the container,
> +by running the following command inside the container:
> +</p>
> +
> +<pre>
> +# mkdir -p /etc/systemd/system/sockets.target.wants/
> +# ln -s /etc/systemd/system/sshd.socket /etc/systemd/system/sockets.target.wants/
> +</pre>
> +
> +<p>
> +This example shows how to activate the container based on an incoming
> +SSH connection. If the container was also configured to have an httpd
> +service, it may be desirable to activate it upon either an httpd or a
> +sshd connection attempt. In this case, the <code>mycontainer.socket</code>
> +file in the host would simply list multiple socket ports. Inside the
> +container a separate <code>xxxxx.socket</code> file would need to be
> +created for each service, with a corresponding <code>ListenStream</code>
> +value set.
> +</p>
> +

ACK with typos fixed.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130812/bdccac4d/attachment-0001.sig>