
Systemd can now pull and update container images from the Internet - catern
https://plus.google.com/+LennartPoetteringTheOneAndOnly/posts/SkKuBF1XaNF
======
houst0n_
When the big debate about systemd was going on, I couldn't really care less.
In fact, I thought a future where the big distros used the same init system
was a rosy one. No need to have to rewrite some init script to yet another
system depending on the flavour of my clients. No need for our config
management tools to have a gazallion 'if os == foo' statements.

Now, I'm just not so sure. The feature creep here is remarkable. Why on earth
would systemd have anything to do with container management? Surely the
'docker' (or whatever) _service_ which systemd is supposed to be managing
should be doing this?

Another nail in the coffin of simple software that does one thing well.

Edit: s/docker/container management/

~~~
vruiz
It's not about docker, it about systemd-nspawn which is systemd's own
alternative to docker.

I'm with you here, at first I didn't understand the alarm but now I'm starting
to see the danger of this trend.

~~~
ris
I don't think systemd is moving into this territory just for fun. I seem to
recall it's because now the kernel is moving towards unified cgroups-trees if
systemd wants to be able to use cgroups it more or less has to be "in charge"
of them at the root, meaning it's going to have to take care of this sort of
functionality.

~~~
jacquesm
Linux should simply adopt jails and get it over with rather than to get stuck
in NIH territory.

~~~
ris
Right. They should "port" a feature that's intricately linked with the
internal workings of a kernel over from another completely alien kernel.

~~~
jacquesm
Nobody said it would be easy.

~~~
ris
You... more or less implied it

------
sciurus
It seems like, if they renamed systemd-nspawn and systemd-import to take
"systemd" out of their names, a lot of controversy would go away.

~~~
pmahoney
I was looking into systemd-nspawn recently because I wanted some container
features (tcp port namespace, so I can have multiple groups of processes run
and connect to an instance of mysqld on the default port, on a ci server).

I installed it, ran it, and it immediately complained "not a systemd system"
and refused to run. I've not looked into things further, but presumably
systemd-nspawn requires that systemd be running, which was a surprise to me
since systemd-nspawn calls itself "chroot on steroids", and chroot cares
nothing about the init system.

~~~
chimeracoder
> systemd-nspawn calls itself "chroot on steroids", and chroot cares nothing
> about the init system.

If I remember correctly, systemd-nspawn uses cgroups (hence the "steroids"
part of of "chroot on steroids").

On Linux, cgroups require a single manager for all cgroups (in this case
systemd). This is not a systemd limitation; it is a requirement set by the
Linux kernel[0].

In theory you could bring-your-own cgroup manager, but cgroups are nascent
enough that trying to make a userland tool like systemd-nspan work with a
completely pluggable cgroup manager would be a nightmare.

[0]
[http://www.freedesktop.org/wiki/Software/systemd/ControlGrou...](http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/)

~~~
pmahoney
Hm, interesting. I'm certainly largely ignorant of how cgroups works, but I
was wishing for a tool like "chroot" that could also "ch-network-namespace" or
something. I've skimmed over cgroups documentation [1] several times, but
never quite gotten a solid mental model of how everything fits together.

[1]
[https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt](https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt)

~~~
geofft
You're probably looking for the "unshare" command and corresponding system
call (or the same flags to the "clone" system call). Specifically, running
"sudo unshare -n bash" will get you a shell with no network devices other than
lo. You can then find the pid and use "ip link set dev eth0 netns 1234" from
outside to move eth0 into the new namespace (more practically, you might make
a virtual network device and move one end into the new namespace).

[http://man7.org/linux/man-
pages/man2/unshare.2.html](http://man7.org/linux/man-
pages/man2/unshare.2.html)

[http://man7.org/linux/man-pages/man2/clone.2.html](http://man7.org/linux/man-
pages/man2/clone.2.html)

[http://man7.org/linux/man-
pages/man1/unshare.1.html](http://man7.org/linux/man-
pages/man1/unshare.1.html)

Loosely a "container" (in the LXC or Docker sense) is a combination of making
new namespaces, which isolate the process tree from the rest of the system in
various ways (filesystem, network, hostname as returned by "uname", etc.), and
making a cgroup, which allows for process tracking and resource allocation.

~~~
pmahoney
Ah, great stuff, thanks! This small piece of the whole set of container
features may be exactly what I want.

------
revelation
Great, and it's a bunch of C with obvious memory leaks (remember, if theres a
_dup_ in that function name, it's gonna allocate memory) and other problems
parsing complex formats it's downloaded off the web.

This is terrible in both the "why is systemd doing this" and "it's just plain
terrible software" sense.

~~~
pedrocr
_> it's a bunch of C with obvious memory leaks (remember, if theres a dup in
that function name, it's gonna allocate memory)_

That's only really an issue if someone ever turns this into a library and
calls it from long-running code. As a command line utility the small amounts
of memory that are leaked don't ammount to too much waste and everything gets
reclaimed on exit.

~~~
revelation
I don't trust someone that can't get memory leaks in a simple utility function
right to get the big, big things with writing software in C correct.

This is Poetterings code after all, and he had his fingers in more than just
command line utilities when it comes to systemd.

Writing this kind of software in C requires serious discipline and religious
use of valgrind.

~~~
tree_of_item
Isn't the point that it's not a leak if the program exits quickly?

~~~
jacquesm
If you can't be trusted to get the bookkeeping right what makes you think the
rest of the program is solid?

Being able to manage your allocation is a pretty good sign that a C programmer
knows what he's doing. Relying on 'exit' to free your memory is backporting
the web mentality to unix land, it just simply doesn't work that way. There is
no different attitude when you write a long running daemon versus a utility
program because for all you know your utility program code will be re-purposed
to become part of a longer running daemon. So you write your code in as clean
a manner as possible and balance your allocs/frees and make sure that you
don't have any latent buffer overflows which you may not care about today
because of the context your code executes in today because tomorrow that
context of execution might change and then we're looking at yet another
exploit.

~~~
digi_owl
> Relying on 'exit' to free your memory is backporting the web mentality to
> unix land

A very fitting description of systemd as a whole.

------
Spidler
I just hope they check for certificates better than Docker does.

systemd-nspawn is a really fun thing to work with for developing early-
init/daemons of various kinds, and this adds a bit more tools to that.

------
jacquesm
If you want to avoid systemd your choices are apparently: Slack, Crux and
Gentoo or switching to *BSD.

[http://distrowatch.com/weekly.php?issue=20140908#qa](http://distrowatch.com/weekly.php?issue=20140908#qa)

Here's to hoping that debian at least will reverse their position or that some
group will fork it:

[https://devuan.org/](https://devuan.org/)

~~~
eleitl
I am switching to *BSD.

~~~
linuxydave
I'm seriously considering it. The fact that Digital Ocean offers FreeBSD means
I get to try it out beforehand which is a bonus.

~~~
jacquesm
You're going to have to change your nick ;)

~~~
linuxydave
Yeah :(

------
tmikaeld
Is there anything more we can throw into systemd, perhaps http/https/v8 server
so we can replace apache, nginx and nodejs as well?

I don't like how systemd starts doing everything, people keep pointing to
alternatives but when things start to depend on systemd for functioning the
alternatives start to disappear one after another.

I'm also thinking that each new feature like this would widen the area for
potential security vulnerabilities.

~~~
Spidler
There already is a HTTP server there. It's log support / shipping is done via
HTTP as a transport.

~~~
digi_owl
And presenting your phone with a QR code housing the initial private key of
the journald forward security "feature".

A feature apparently developed by Poettering's brother as a doctoral thesis...

------
transfire
What operating system do you use? "Systemd"

------
dschiptsov
Do not forget security updates and service packs.

------
SixSigma
PXE, Gpxe were all you ever needed.

[http://etherboot.org/](http://etherboot.org/)

------
signa11
how close are we to realizing zawinski's law with systemd ?

------
moe
Shouldn't systemd embed a BitTorrent client before it starts downloading
things?

------
throwawayaway
If systemd could somehow be controlled from emacs we're looking at a whole new
operating system paradigm here.

