On Sat, Feb 2, 2019 at 11:52 PM Grant Taylor <gtay...@gentoo.tnetconsulting.net> wrote: > > On 2/2/19 9:39 PM, Michael Jones wrote: > > systemd-nspawn is also an option, but I don't think that'll work with > > OpenRC. > > Ya.... I moved (back to) Gentoo to get away from systemd. I'm not > going to voluntarily opt to use it, or any of it's children. That's > /my/ opinion. I know others opinions differ. >
Nothing wrong with that approach. I use systemd-nspawn to run a bunch of containers, hosted in Gentoo, and many of which run Gentoo. However, these all run systemd and I don't believe you can run nspawn without a systemd host (the guest/container can be anything). These are containers running full distros with systemd in my case, not just single-process containers, in my case. However, nspawn does support single-process containers, and that includes with veth, but nspawn WON'T initialize networking in those containers (ie DHCP/etc), leaving this up to the guest (it does provide a config file for systemd-networkd inside the guest if it is in use to autoconfigure DHCP). I'm not exactly certain what you're trying to accomplish, but namespaces are just a kernel system call when it comes down to it (two of them I think offhand). Two util-linux programs provide direct access to them for shell scripts: unshare and nsenter. If you're just trying to run a process in a separate namespace so that it can use veth/etc then you could probably initialize that in a script run from unshare. If you don't need more isolation you could run it right from the host filesystem without a separate mount or process namespace. Or you could create a new mount namespace but only modify specific parts of it like /var/lib or whatever. People generally equate containers with docker but as you seem to get you can do a lot with namespaces without basically running completely independent distros. Now, I will point out that there are good reasons for keeping things separate - they may or may not apply to your application. If you just want to run a single daemon on 14 different IPs and have each of those daemons see the same filesystem minus /var/lib and /etc that is something you could certainly do with namespaces and the only resource cost would be the storage of the extra /var/lib and /etc directories (they could even use the same shared libraries in RAM, and indeed the same process image itself I think). The only gotcha is that I'm not sure how much of it is already done, so you may have to roll your own. If you find generic solutions for running services in partially-isolated namespaces with network initialization taken care of for you I'd be very interested in hearing about it. -- Rich
