On Wed, Jul 8, 2015, at 04:30 AM, Tobias Florek wrote: > Hi, > > tldr: add early-docker daemon (a la coreos) to support running
I think a two-level approach would indeed allow implementing a number of nontrivial deployment types. Probably not *all* of them though (at least at the current time). This is possible today without modifying the host by simply cp /usr/lib/systemd/system/docker.service /etc/systemd/system/early-docker.service and making modifications such as pointing storage to /var/lib/early-docker etc., right? I haven't tried it though. My current feeling is to keep this discussion open, and to document implementations that can be made outside of host modifications right now. > I need to connect bare-metal atomic hosts via ipsec. That works (with > minor quirks) using the privileged ibotty/ipsec-libreswan container. > Unfortunately, because it is using docker, it starts pretty late in the > boot process. Fortunately I drop sensitive traffic before ipsec is up. But you're not fetching the images over ipsec? Just securing container-generated traffic?
