Last active
October 27, 2016 19:41
-
-
Save philips/650129aed5b1217813dbc249ee6e5a22 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Example of rkt today with systemd service file generation and systend-nspawn execution of systemd. | |
| $ sudo rkt run docker://redis --insecure-options image | |
| $ rkt list | grep redis | |
| 764de9a0 redis registry-1.docker.io/library/redis:latest running 5 minutes ago 5 minutes ago default:ip4=172.16.28.2 | |
| $ ps aux | grep 764de9a0 | |
| root 8168 4.4 0.1 41780 4440 pts/2 S+ 19:04 0:13 stage1/rootfs/usr/lib/ld-linux-x86-64.so.2 stage1/rootfs/usr/bin/systemd-nspawn --boot --register=true --link-journal=try-guest --quiet --uuid=764de9a0-9442-4512-9d73-5a040dac5fe2 --machine=rkt-764de9a0-9442-4512-9d73-5a040dac5fe2 --directory=stage1/rootfs --bind=/mnt/sda1/var/lib/rkt/pods/run/764de9a0-9442-4512-9d73-5a040dac5fe2/sharedVolumes/redis-volume-data:/opt/stage2/redis/rootfs/data --capability=CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FSETID,CAP_FOWNER,CAP_KILL,CAP_MKNOD,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SETUID,CAP_SETGID,CAP_SETPCAP,CAP_SETFCAP,CAP_SYS_CHROOT -- --default-standard-output=tty --log-target=null --show-status=0 | |
| $ cat /var/lib/rkt/pods/run/764de9a0-9442-4512-9d73-5a040dac5fe2/stage1/rootfs/usr/lib64/systemd/system/redis.service | |
| [Unit] | |
| Description=Application=redis Image=registry-1.docker.io/library/redis | |
| DefaultDependencies=false | |
| Wants=reaper-redis.service | |
| OnFailure=halt.target | |
| Requires=prepare-app@-opt-stage2-redis-rootfs.service | |
| After=prepare-app@-opt-stage2-redis-rootfs.service | |
| Requires=sysusers.service | |
| After=sysusers.service | |
| [Service] | |
| Restart=no | |
| ExecStart="/usr/local/bin/docker-entrypoint.sh" "redis-server" | |
| RootDirectory=/opt/stage2/redis/rootfs | |
| MountFlags=shared | |
| WorkingDirectory=/data | |
| EnvironmentFile=/rkt/env/redis | |
| User=0 | |
| Group=0 | |
| SupplementaryGroups= | |
| SyslogIdentifier=redis | |
| CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SETFCAP CAP_SYS_CHROOT | |
| SystemCallFilter=accept accept4 access alarm bind brk capget capset chdir chmod chown chown32 clock_getres clock_gettime clock_nanosleep close connect copy_file_range creat dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr | |
| SystemCallFilter=flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftruncate ftruncate64 futex futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 | |
| SystemCallFilter=getxattr inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioprio_get ioprio_set io_setup io_submit ipc kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr _llseek lremovexattr lseek lsetxattr lstat lstat64 madvise memfd_create mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 mprotect mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl | |
| SystemCallFilter=msgget msgrcv msgsnd msync munlock munlockall munmap nanosleep newfstatat _newselect open openat pause personality pipe pipe2 poll ppoll prctl pread64 preadv prlimit64 pselect6 pwrite64 pwritev read readahead readlink readlinkat readv recv recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_getaffinity | |
| SystemCallFilter=sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp select semctl semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 setitimer setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address setuid setuid32 | |
| SystemCallFilter=setxattr shmat shmctl shmdt shmget shutdown sigaltstack signalfd signalfd4 sigreturn socket socketcall socketpair splice stat stat64 statfs statfs64 symlink symlinkat sync sync_file_range syncfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_settime timer_getoverrun timer_gettime timer_settime times tkill truncate truncate64 ugetrlimit umask uname unlink unlinkat utime utimensat utimes vfork vmsplice | |
| SystemCallFilter=wait4 waitid waitpid write writev arch_prctl modify_ldt chroot clone | |
| NoNewPrivileges=false | |
| InaccessibleDirectories=-/opt/stage2/redis/rootfs/sys/firmware | |
| InaccessibleDirectories=-/opt/stage2/redis/rootfs/sys/fs | |
| InaccessibleDirectories=-/opt/stage2/redis/rootfs/sys/hypervisor | |
| InaccessibleDirectories=-/opt/stage2/redis/rootfs/sys/module | |
| InaccessibleDirectories=-/opt/stage2/redis/rootfs/sys/power | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/proc/bus | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/proc/sys/kernel/core_pattern | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/proc/sys/kernel/modprobe | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/proc/sys/vm/panic_on_oom | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/proc/sysrq-trigger | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/sys/block | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/sys/bus | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/sys/class | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/sys/dev | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/sys/devices | |
| ReadOnlyDirectories=-/opt/stage2/redis/rootfs/sys/kernel | |
| DevicePolicy=closed | |
| ReadWriteDirectories=/opt/stage2/redis/rootfs/data | |
| StandardOutput=journal+console | |
| StandardError=journal+console | |
| TimeoutStartSec=0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Illustration purposes only but a strawman of how an occam stage1 would work | |
| $ sudo rkt run docker://redis --insecure-options image | |
| $ rkt list | grep redis | |
| 764de9a0 redis registry-1.docker.io/library/redis:latest running 5 minutes ago 5 minutes ago default:ip4=172.16.28.2 | |
| $ ps aux | grep 764de9a0 | |
| root 8168 4.4 0.1 41780 4440 pts/2 S+ 19:04 0:13 runc some flags | |
| $ cat /var/lib/rkt/pods/run/764de9a0-9442-4512-9d73-5a040dac5fe2/stage1/rootfs/run/runc/redis/config.json | |
| { | |
| "ociVersion": "0.5.0-dev", | |
| "platform": { | |
| "os": "linux", | |
| "arch": "amd64" | |
| }, | |
| "process": { | |
| "terminal": true, | |
| "user": { | |
| "uid": 0, | |
| "gid": 0, | |
| "additionalGids": [ | |
| 5, | |
| 6 | |
| ] | |
| }, | |
| "args": [ | |
| "/usr/local/bin/docker-entrypoint.sh", "redis-server" | |
| ], | |
| ... etc etc... | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment