[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [atomic-devel] RFC: use early-docker to support additional software on atomic host
- From: Waldemar Augustyn <waldemar astyn com>
- To: Colin Walters <walters verbum org>, atomic-devel projectatomic io
- Subject: Re: [atomic-devel] RFC: use early-docker to support additional software on atomic host
- Date: Fri, 10 Jul 2015 07:45:42 -0700
On 07/10/2015 07:27 AM, Colin Walters wrote:
> On Wed, Jul 8, 2015, at 04:30 AM, Tobias Florek wrote:
>> Hi,
>>
>> tldr: add early-docker daemon (a la coreos) to support running
> I think a two-level approach would indeed allow implementing a
> number of nontrivial deployment types. Probably not *all* of them
> though (at least at the current time).
>
> This is possible today without modifying the host by simply
> cp /usr/lib/systemd/system/docker.service /etc/systemd/system/early-docker.service
> and making modifications such as pointing storage to /var/lib/early-docker etc., right?
> I haven't tried it though.
>
> My current feeling is to keep this discussion open, and to document
> implementations that can be made outside of host modifications right now.
That early docker probably would need to run with host network. With
devmapper, it would probably need its own pool. Or mabye use overlayfs.
Not sure about the socket, use IP instead??. We have a need for a
similar docker split, for different reasons, and we're looking at runc
which seems perfect.
>
>> I need to connect bare-metal atomic hosts via ipsec. That works (with
>> minor quirks) using the privileged ibotty/ipsec-libreswan container.
>> Unfortunately, because it is using docker, it starts pretty late in the
>> boot process. Fortunately I drop sensitive traffic before ipsec is up.
> But you're not fetching the images over ipsec? Just securing container-generated
> traffic?
>
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]