Finally someone taking advantage of what systemd has to offer instead of bitching around.
Systemd is incredibly versatile and most people, including myself, are unaware of its full potential. Despite its usefulness, it is often overlooked due to controversy and the current state of things when it comes to software development. Begin today your journey thought Systemd’s capabilities and discover how to efficiently manage systems with fewer processes than traditionally required. More: tadeubento.com/…/systemd-hidden-gems-for-a-better…
LXC is way more resource intensive and actually systemd had containers for a very long time… not to forget that if you use those you don’t need to install one more thing :)
systemd manages cgroups, a very well standardized kernel interface for process management, which I would say is something init should be able to do. The gap between that, and a container is mostly semantic.
Personally I’d like my container/vm/chroot handled by something detached from pid 1. I get that much of the overal systemd project is separate blocks of code but it’s the fact they are bound together that it becomes an issue. I would have loved for the systemd team yo first publish a set of APIs that all their components would us and allow the same integration while being completely different projects.
Yeah the preference is yours, at the end of the day, I don’t think it matters what tools you use as long as it works.
Worth noting is that a process not managed by pid 1 isn’t really a thing you want generally. If you use systemd to start the docker daemon, which then starts your container, its still managed by pid 1 eventually. Perhaps you prefer the tooling and interface of docker more than machinectl, or maybe podman just isnt working for you, they’re all just tools to interact with kernel namespaces and cgroups. For doing a little dabbling in another distro, installing docker is pretty heavy vs what the article is talking about.
I don’t think it matters what tools you use as long as it works.
That would be true if other systems and services depend on them. Would have been nice to come out with a standard and designed systemd around that standard. Then you pick the tool you want that follows the standard rather than be tied into systemd.
Worth noting is that a process not managed by pid 1 isn’t really a thing you want generally
I would disagree. A compromised Docker doesn’t mean i have access to things managed by PID1. The entire control model is based around moving your publicly available services further away from something with the highest level of access. Be it users or processes.
nixcademy.com
Hot