Injustice - Developers Among Us (SciFiDevCon 2024)
Full system roll-back and systemd in SUSE Linux Enterprise 12
1. SUSE Linux Enterprise 12
Innovations in System Boot and
Full System Roll-back
Gábor Nyers
Sales Engineer @SUSE
gnyers@suse.com
2. 2
Agenda
● Quick overview of SLE 12
● Full-system rollback
►Demo: Full-system rollback, Integratie snapper and grub2
● System initialization with systemd
►Feature overview, compatibility, demo
● System initialization with systemd
►Feature overview, compatibility, from traditional init scripts to unit files; demo's
5. 5
SUSE® Linux Enterprise Server 12
Lifecyle Model
10 years lifecycle + 3 years Extended Support
General Support Extended Support
Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10 Year 11 Year 12 Year 13
GA LTSS
SP1 LTSS
SP2 LTSS
SP3 LTSS
SP4 LTSS
• 13-year lifecycle (10 years general support, 3 years extended support)
• Long Term Service Pack Support (LTSS) available for all versions, including GA
6. 6
SUSE® Linux Enterprise
Lifecycle & Code Streams
2011 2012 2013 2014 2015 2016
SLE10
SLE 11
SLE 12
SP4
SP2 SP3 SP4
SP1
13-year lifecycle
For SLES 11 and SLES 12,
10 years general support,
+3 years Long Term Support
Tentative – Dates subject to change
SUSE Linux Enterprise 12
Long Term Service Pack Support
for every Service Pack
GA
10. 10
Components
Grub2: boot loader integration for full system rollback
Snapper: GUI and CLI tool for
easy snapshot/rollback
Btrfs: default filesystem with fault tolerance,
repair, and easy management features
12. 12
Btrfs feature overview
Supported by SUSE
● Copy-on-Write
● Snapshots
● Subvolumes
● Data integrity
● Metadata integrity
● On-line scrubbing
● Manual de-duplication
● Quota Groups
Work in progress
● Inode Cache
● Auto Defrag
● RAID
● Transparent compression
● Send / Receive
● Hot add / remove
● Seeding devices
13. 13
Btrfs Concepts:
Subvolumes
Subvolume(s)...:
… appear to be a directory
… start as an independent but
empty root node
… are independently mountable
… are independently snapshotable
… are “equals” amongst each
other, but there is a designated
“default subvolume”Subvol
(B-Tree)
/
Subvol
(B-Tree)
/home
/var/log
Subvolume
Root node
Subvolume
Root node
Default
Subvolume
Root node
Storage
block
14. 14
Btrfs Concepts:
Snapshots
Snapshot(s)...:
… are an independent clone of the
state of a subvolume
… share all raw data with its
ancestor after creation
… may be (practically) unlimited in
number
… are either RO or RW
… may be “nested”, that is
“snapshot of a snapshot”
Subvol
(B-Tree)
/
/home
Clone
B-Tree
Clone
B-Tree
data blocks
When a snapshot is created,
the parent and child sub-trees
point to the same data blocks
18. 18
Snapper feature overview
● btrfs, ext4 and LVM
● Plug-in support
● Grub2 integration
● Stores metadata with
snapshot
►free text for humans
►key = value pairs for
computers
● Management of multiple
btrfs filesystems and
subvolumes
►Automatic snapshot creation
►Configurable clean-up
algorithms
►Creates RO snapshots by
default
►Snapshots for non-root users
►Show difference between
snapshots
►Mount snapshots
19. 19
sles1201:~ # snapper list
Type | # | Pre # | Date | User | Cleanup | Description | Userdata
-------+----+-------+---------------------------------+------+----------+-------------------------------------------------------+--------------------------------
single | 0 | | | root | | current |
single | 1 | | Mon 27 Oct 2014 09:52:24 PM CET | root | timeline | This is a free-text description for human consumption | changeID=Demo001, myvar1=value1
single | 2 | | Mon 27 Oct 2014 10:00:19 PM CET | root | home-tux | 1st snapshot for user tux |
single | 3 | | Mon 27 Oct 2014 10:01:10 PM CET | root | home-tux | 1st snapshot for user tux |
single | 8 | | Mon 27 Oct 2014 11:18:19 PM CET | root | | Recovery point 2014-10-27 |
single | 9 | | Tue 28 Oct 2014 12:41:46 AM CET | root | | Rolling back to snapshot 8 |
single | 10 | | Tue 28 Oct 2014 12:41:46 AM CET | root | | Rolling back to snapshot 8 |
single | 11 | | Tue 28 Oct 2014 01:17:01 AM CET | root | | Recovery point 2 | important=yes
single | 12 | | Tue 28 Oct 2014 05:47:39 AM CET | root | | Rolling back disabled state to Recovery point 2 |
single | 13 | | Tue 28 Oct 2014 05:47:40 AM CET | root | | Rolling back disabled state to Recovery point 2 |
pre | 18 | | Tue 28 Oct 2014 11:16:22 PM CET | root | number | yast apparmor |
post | 19 | 18 | Tue 28 Oct 2014 11:16:41 PM CET | root | number | |
pre | 20 | | Mon 19 Jan 2015 09:25:19 PM CET | root | number | zypp(zypper) | important=yes
post | 21 | 20 | Mon 19 Jan 2015 09:34:32 PM CET | root | number | | important=yes
pre | 22 | | Mon 19 Jan 2015 09:55:14 PM CET | root | number | zypp(zypper) | important=no
post | 23 | 22 | Mon 19 Jan 2015 09:55:26 PM CET | root | number | | important=no
pre | 24 | | Mon 19 Jan 2015 10:52:22 PM CET | root | number | zypp(zypper) | important=no
post | 25 | 24 | Mon 19 Jan 2015 10:52:24 PM CET | root | number | | important=no
pre | 26 | | Thu 22 Jan 2015 12:37:27 AM CET | root | number | yast sw_single |
post | 27 | 26 | Thu 22 Jan 2015 12:38:35 AM CET | root | number | |
pre | 28 | | Thu 22 Jan 2015 12:50:23 AM CET | root | number | yast repositories |
post | 29 | 28 | Thu 22 Jan 2015 01:00:49 AM CET | root | number | |
sles1201:~ #
Snapper – snapshot management
20. 20
Snapper – Metadata
Meta information stored with each snapshot:
►Type : [ Pre | Post | Single ]
►# : Nr of snapshot
►Pre # : Matching “Pre” number, if type is “Post”
►Date : Timestamp
►User : User who created the snapshot
►Cleanup : Cleanup algorithm for this snapshot
►Description : A fitting description of the snapshot (free text)
►Userdata : key=value pairs to record all sorts of useful
information about the snapshot in an
(e.g.: easily parsing from scripts)
24. 24
Grub2 Features
● Scripting support
● Dynamic modules
● Custom menus
● Boot LiveCD ISO images directly from hard drive
25. 25
Full System Roll-back 1/2
● Rollback to a good state with one click for faster
recovery from planned or unplanned downtime
● Support for service pack rollback
● Support for kernel upgrade
● Based on btrfs and Snapper, bootloader integration
26. 26
Full System Roll-back 2/2
Goal:
Reduce operational
downtime by
quickly
restoring the system to a
well-known
working state.
27. 27
Demo: Full system roll-back
● Create recovery point
● Wreck havoc
● Boot system → fail!
● Boot system to recovery point → read-only!
● Roll-back system using snapper
29. 29
The boot process in general
http://en.wikipedia.org/wiki/Linux_startup_process
BIOS
Boot loader
Kernel
Init
Login Prompt
Find and load boot
loader from disk
Enumerate disks
Hardware init
(RAM, PCI bus, USB, video,
keyboard, disks, etc..)
Load and run OS
(Linux: kernel+initrd)
User interaction
(optional)
Enumerate bootable
OS's
Decompress initrd
and run init
Kernel initHardware init
(Remaining HW)
Start getty & display
manager
Start system and
network services
Mount root and other
filesystems
Setup sessionAuthorize user
30. 30
The Init Process
Init
Start getty & display
manager
Start services
Mount root and other
filesystems
A few Linux init system
implementations:
● sysvinit (SysV style)
● Upstart (Ubuntu)
● OpenRC
● systemd
● etc...
A few problems with
traditional init systems:
● rely heavily on shell
scripting:
► slow,
► fragile,
►redundancy, hard to read:
100s of shell script lines vs.
10-20 Unit File
● weak parallelism
32. 32
What is systemd? 1/3
● a system- and session manager for Linux,
● provides aggressive parallelization capabilities,
(no shell during boot!)
● uses socket and D-Bus activation for starting services,
● offers on-demand starting of services,
● keeps track of processes using Linux cgroups,
33. 33
What is systemd? 2/3
● supports restoring the system's state to a predefined
state,
● maintains mount and auto-mount points,
● provides dependency based service control logic,
● provides replacement for a nr. of well-known tools,
e.g.: udev, automount, inetd, consolekit and syslog,
● a drop-in replacement for sysvinit
34. 34
What is systemd? 3/3
There is a lot of criticism and opinions as well...
● “It's not the UNIX way”
referring to the “do one thing and do it well” maxim
● “It's monolithic”
● “It introduces too many dependencies”
● (and worse)
... but we won't be addressing these today :-)
35. 35
“If I had asked people
what they wanted, they
would have said faster
horses”
Henry Ford
36. 36
systemd adoption
Distribution Added to
repositories
Enabled by default? Released as default
SUSE Linux
Enterprise
v12 Yes Yes
openSUSE v11.4 Yes v12.2 (2012)
Fedora v15 (2011) Yes v15 (2011)
Red Hat Linux
Enterprise
v7 (2014) Yes v7 (2014)
Debian in 2012 No, planned for
Debian Jessie
Not yet released
Arch Linux in 2012 Yes 2012
see also: http://en.wikipedia.org/wiki/Systemd#Adoption_and_reception
37. 37
Compatibility with SysV Init Scripts
● systemd-sysvinit pkg provides compatible versions of
halt, init, poweroff, reboot, runlevel, shutdown, telinit
● init scripts may be augmented with systemd
mechanisms, e.g. dependencies
● There are also incompatibilities: see [1] for
comprehensive list
[1]: http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities/
sles1201:~ # systemctl status nfs
nfs.service - LSB: NFS client services
Loaded: loaded (/etc/init.d/nfs)
Drop-In: /run/systemd/generator/nfs.service.d
└─50-insserv.conf-$remote_fs.conf
Active: inactive (dead)
# sles1201:~ # cat /run/systemd/generator/nfs.service.d/50-insserv.conf-$remote_fs.conf
# Automatically generated by systemd-insserv-generator
[Unit]
Wants=remote-fs-pre.target
Before=remote-fs-pre.target
sles1201:~ #
39. 39
Kernel Cgroups (Control Groups)
● Linux Kernel facility
allowing the grouping of
processes (and their
“children”) into a tree-
structure hierarchy
● Each group can be
assigned a quota for
these system resources:
►CPU
►RAM
►Disk I/O
►Network I/O
Control groups hierarchy created by systemd
├─machine.slice
│ └─machine-qemux2dsles1201.scope
│ └─20958 /usr/bin/qemu-system-x86_64 -m...
├─user.slice
│ ├─user-0.slice
│ │ └─user@0.service
│ │ ├─4322 /usr/lib/systemd/systemd --us...
│ │ └─4323 (sd-pam)
│ ├─user-1000.slice
│ │ ├─session-560.scope
│ │ │ ├─ 2810 /usr/bin/claws-mail
│ │ │ ├─ 3035 /usr/lib64/firefox/firefox
│ │ │ ├─ 3086 /usr/lib/mozilla/kmozillahel...
│ │ │ ├─ 5459 /bin/bash
│ │ │ ├─ 7854 /usr/bin/kwalletmanager --kw...
│ │ ├─session-1.scope
│ │ │ ├─4179 /bin/bash ./bridge start
│ │ │ └─4182 dnsmasq --conf-file=mydnsmasq...
│ │ └─user@1000.service
│ │ ├─1891 /usr/lib/systemd/systemd --us...
│ │ └─1892 (sd-pam)
│ └─user-489.slice
│ └─user@489.service
│ ├─1703 /usr/lib/systemd/systemd --us...
│ └─1704 (sd-pam)
└─system.slice
├─libvirtd.service
│ └─4008 /usr/sbin/libvirtd --listen
├─rsyslog.service
│ └─985 /usr/sbin/rsyslogd -n
├─apache2.service
│ ├─1254 /usr/sbin/httpd2-prefork -f /et...
│ └─1840 /usr/sbin/httpd2-prefork -f /et...
See also: SLES 12 Tunining Guide, Ch8: “Kernel Control Groups” and Kernel documentation on cgroups
40. 40
Demo: Kernel Cgroups
Managing cgroups
►How to find cgroup configuration?
►List currently running cgroups
with lscgroup (pkg libcgroups-tools)
with systemd-cgls (pkg systemd)
→ nicely shows the cgroup hiearchy created by systemd
►Limit resources
►See also:
►cgexec - run the task in given control groups
►cgclassify - move running task(s) to given cgroups
41. 41
Socket-based activation
►Using sockets systemd can monitor the availability of the
connected service
►When the service crashes, the messages to the socket will be
buffered (~ MBs)
►Especially well suited for services that mostly receive through
the socket, e.g. syslog
►Temporarily stand-in for the service
►example: during boot kmsg is active but at some point syslog takes over
See also: http://0pointer.de/blog/projects/socket-activation.html
sles1201:~ # systemctl list-sockets
LISTEN UNIT ACTIVATES
/dev/initctl systemd-initctl.socket systemd-initctl.service
/dev/log systemd-journald.socket systemd-journald.service
/run/dmeventd-client dm-event.socket dm-event.service
/run/dmeventd-server dm-event.socket dm-event.service
/run/systemd/journal/socket systemd-journald.socket systemd-journald.service
/run/systemd/journal/stdout systemd-journald.socket systemd-journald.service
/run/systemd/journal/syslog syslog.socket rsyslog.service
/run/systemd/shutdownd systemd-shutdownd.socket systemd-shutdownd.service
/run/udev/control systemd-udevd-control.socket systemd-udevd.service
/var/run/dbus/system_bus_socket dbus.socket dbus.service
/var/run/pcscd/pcscd.comm pcscd.socket pcscd.service
[...]
42. 42
Unit File Types
● service
● target
● socket
● path
● device
● timer
● mount
● automount
● snapshot
● slice
● swap
● scope
43. 43
Generators
►Generators are located in
/usr/lib/systemd/system-
generators/
►Templates are located in
directory
/usr/lib/systemd/system-
generators/
►Based on templates systemd
generators creates one or
more unit instances for
example for: getty,lvm; or
mount units based on
/etc/fstab
See also: http://www.freedesktop.org/wiki/Software/systemd/Generators/
sles1201:/etc/systemd # cat
/usr/lib/systemd/system/user@.service
[Unit]
Description=User Manager for UID %i
After=systemd-user-sessions.service
[Service]
User=%i
PAMName=systemd-user
Type=notify
ExecStart=-/usr/lib/systemd/systemd --user
Slice=user-%i.slice
KillMode=mixed
44. 44
systemd
Unit files
● Unit file locations
● Unit file strcuture
● A few Unit file types:
►service
►socket
►target
►slice, scope
►timer
45. 45
Unit File Locations
(in order of precedence)
In system mode
(systemd --system)
►Runtime units:
/run/systemd/system/
►Local configuration:
/etc/systemd/system/
►Units of installed packages:
/usr/lib/systemd/system
In user mode
(systemd --user)
►User configuration:
$HOME/.config/systemd/user/
►Local configuration:
/etc/systemd/user/
►Runtime units:
/run/systemd/user/
►Units of installed packages:
/usr/lib/systemd/user/
46. 46
[Section]
Unit File Syntax(*)
● Generic sections:
►[Unit]: Dependencies, etc..
►[Install]: What to do to install or
remove
● Other
►empty lines and prefixed with
“#” or “;” will be ignored
►“” at line end will wrap long lines
● Options
►Pre-defined
►User defined, prefixed with “X-”
● Values
►Bolean: 1, “true”, “yes”,”on” or
0, “false”, “no”, “off”
►Time: “50”, “4min 140ms”
[Unit]
Option = Value
Option = Value
# This line will be ignored
; As well as this
[Install]
BoleanOption = true
Option = Value
Option = Value
[Specific Section]
Option = Value
Option = Value
X-MyOption = “User defined option”
See also man(5) system.unit
(*) Conform “XDG Desktop Entry Specification”
47. 47
[Unit]
# will include all settings from
# bar.service
.include bar.service
Description = foo service
Wanted = Value
; As well as this
Unit File Logic 1/2
● Directory “foo.service.d” may
contain “*.conf” files to alter or
add configuration
● Directory “foo.service.wants/”
can contain symlinks to
dependencies of “foo.service”
● Unit file templates:
►getty@tty3.service will be
generated from:
►getty@.service
foo.service
48. 48
Unit File Logic 2/2
[Unit] Directives
►Description, Documentation:
Make live easy
►Wants, Requires, Conflicts
Express dependencies
between units
►WantedBy, RequiredBy:
Reverse dependencies;
Will result in symlink to this
unit in mentioned services'
$unit.wants/ or
$unit.requires/ directory
►Before, After
Specify order when starting
and stopping units
►Alias: when enabled, unit will
also be registered under
these names
49. 49
Unit files: service
service units start and
control daemons and the
processes they consist of
sles1201:~ # cat
/usr/lib/systemd/system/ntpd.service
[Unit]
Description=NTP Server Daemon
Documentation=man:ntpd(1)
After=nss-lookup.target
Wants=network.target
After=network.target
[Service]
Type=forking
PIDFile=/var/run/ntp/ntpd.pid
ExecStart=/usr/sbin/start-ntpd start
RestartSec=11min
Restart=always
[Install]
WantedBy=multi-user.target
See also: man systemd.service(5)
50. 50
Unit files: socket
socket units create local unix or network sockets,
useful for socket based activation
sles1201:~ # systemctl -t socket
UNIT LOAD ACTIVE SUB DESCRIPTION
dbus.socket loaded active running D-Bus System Message Bus Socket
dm-event.socket loaded active running Device-mapper event daemon FIFOs
iscsid.socket loaded active listening Open-iSCSI iscsid Socket
pcscd.socket loaded active listening PC/SC Smart Card Daemon Activation Socket
syslog.socket loaded active running Syslog Socket
systemd-initctl.socket loaded active listening /dev/initctl Compatibility Named Pipe
systemd-journald.socket loaded active running Journal Socket
systemd-shutdownd.socket loaded active listening Delayed Shutdown Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
sles1201:~ # systemctl status dbus.socket
dbus.socket - D-Bus System Message Bus Socket
Loaded: loaded (/usr/lib/systemd/system/dbus.socket; static)
Active: active (running) since Wed 2015-01-28 14:37:31 CET; 7h ago
Listen: /var/run/dbus/system_bus_socket (Stream)
sles1201:~ # cat /usr/lib/systemd/system/dbus.socket
[Unit]
Description=D-Bus System Message Bus Socket
[Socket]
ListenStream=/var/run/dbus/system_bus_socket
sles1201:~ #
51. 51
Unit files: target
● target units:
►are useful to group units, or
►provide well-known
synchronization points during
boot-up
sles1201:~ # systemctl get-default
multi-user.target
sles1201:~ # systemctl -t target
UNIT LOAD ACTIVE SUB DESCRIPTION
basic.target loaded active active Basic System
cryptsetup.target loaded active active Encrypted Volumes
getty.target loaded active active Login Prompts
local-fs-pre.target loaded active active Local File Systems (Pre)
local-fs.target loaded active active Local File Systems
multi-user.target loaded active active Multi-User System
network.target loaded active active Network
nss-lookup.target loaded active active Host and Network Name Lookups
nss-user-lookup.target loaded active active User and Group Name Lookups
paths.target loaded active active Paths
remote-fs-pre.target loaded active active Remote File Systems (Pre)
remote-fs.target loaded active active Remote File Systems
[...]
►are equivalent to “runlevel”:
►`init 5` is equivalent to
►`systemctl isolate runlevel5.target`
►/etc/inittab is deprecated
►see also: systemd.target(5)
52. 52
Unit files: slice and scope
A standard hierarchy of
processes, sessions for
resource control
● slices:
►automatically created slices:
►“-” (root),
►machine
►user: parent for user-* slices
►system: parent for services
►see also: man systemd.slice(5)
● scopes:
►each session (on tty or
graphical) is an individual
scope
►see also:
man systemd.scope(5)
-.slice
├─machine.slice
│ └─machine-qemux2dsles1201.scope
│ └─3721 /usr/bin/qemu-system-x86_64
| -name sles1201 -machine
│ accel=kvm [...]
├─user.slice
│ ├─user-0.slice
│ │ └─user@0.service
│ │ └─4519 /usr/lib/systemd/systemd --user
. .
│ └─user-1000.slice
│ ├─session-1.scope
. .
│
└─system.slice
├─1 /sbin/init showopts
├─systemd-machined.service
│ └─3722 /usr/lib/systemd/systemd-machined
├─libvirtd.service
│ └─3514 /usr/sbin/libvirtd --listen
├─rsyslog.service
│ └─968 /usr/sbin/rsyslogd -n
.
53. 53
Unit files: timer
►Timer units trigger matching
unit files on the defined
moments, ie: “foo.timer” has
to have a foo.<unit type>
►Timers are monotonic,
independent of wall-clock
time and timezones.
sles1201:~ # cat /usr/lib/systemd/system/systemd-tmpfiles-clean.timer
[Unit]
Description=Daily Cleanup of Temporary Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
[Timer]
OnBootSec=15min
OnUnitActiveSec=1d
sles1201:~ # ls -1 /usr/lib/systemd/system/systemd-tmpfiles-clean*
systemd-tmpfiles-clean.service
systemd-tmpfiles-clean.timer
sles1201:~ # systemctl --all list-timers
NEXT LEFT UNIT ACTIVATES
Thu 2015-01-29 14:52:19 CET 13h left systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
n/a n/a systemd-readahead-done.timer systemd-readahead-done.service
►If system is suspended, the
monotonic clock stops too.
►see also:
man systemd.timer(5)
54. 54
Using unmodified SysV/LSB scripts
with systemd
►Compatibility mode with
symlinks to
/usr/lib/systemd/systemd:
halt, init, poweroff, reboot, runlevel,
shutdown, telinit
►Requests to above utilities
will be forwarded to systemd
►The correct invocation of an
init script is through
/sbin/service
►systemd understands and
respects the LSB headers
►Be sure to check the list of
incompatibilities with SysV,
see [1], e.g.:
►The concept of runlevels is different
than with sysvinit
►Interactive scripts should use
`systemd-ask-password`
[1] http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities/
55. 55
From SysV/LSB Script
to systemd Unit File
►Read and understand what
the script does!
►Section [Unit]
Description and Documentation
Dependencies: based on LSB
headers “Required-Start”,
“Required-Stop”
Ordering: “Before” or “After”
►Section [Service]
ExecStart: the full path to the
services binary/script
Type: How to monitor the daemon?
Possible values: simple, forking,
oneshot, dbus, notify, idle
PIDFile: the file containing a forked
daemon's PID
►Section [Install]
Runlevel to corresponding target,
e.g.:
WantedBy=multi-user.target
►See also:
►man systemd.unit(5)
►man systemd.service(5)
►Lennart Poettering's blog article [1]
[1] “systemd for Administrators, Part III”, http://0pointer.de/blog/projects/systemd-for-admins-3.html
58. 58
Start / Stop / Restart / Enable / Disable
● Multiple services at the
same time
● Completion
(requires the “bash-
completion” pkg)
sles1201:~ # systemctl status a<TAB><TAB>
after-local.service auditd.service
amavis.service autofs.service
apparmor.service autovt@.service
atd.service
sles1201:~ # systemctl status a
sles1201:~ # systemctl -t <TAB><TAB>
automount device mount path
service snapshot socket swap
target timer
sles1201:~ # systemctl -t <TAB><TAB>
sles1201:~ # systemctl restart ntpd apache2
sles1201:~ # systemctl status ntpd apache2
sles1201:~ # systemctl disable apache2
sles1201:~ # systemctl status apache2
apache2.service - The Apache Webserver
Loaded: loaded (/usr/lib/systemd/system...
Active: active (running) since Thu 2015...
Main PID: 12391 (httpd2-prefork)
Status: "Total requests: 0; Current req...
CGroup: /system.slice/apache2.service
├─12391 /usr/sbin/httpd2-prefor...
├─12408 /usr/sbin/httpd2-prefor...
├─12410 /usr/sbin/httpd2-prefor...
├─12411 /usr/sbin/httpd2-prefor...
├─12412 /usr/sbin/httpd2-prefor...
└─12413 /usr/sbin/httpd2-prefor...
59. 59
More informative service status
sles1201:~ # systemctl status postfix
postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled)
Active: active (running) since Sun 2015-01-25 17:15:02 CET; 2 days ago
Process: 1182 ExecStartPost=/etc/postfix/system/cond_slp register (code=exited, status=0/SUCCESS)
Process: 1177 ExecStartPost=/etc/postfix/system/wait_qmgr 60 (code=exited, status=0/SUCCESS)
Process: 1072 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 1061 ExecStartPre=/etc/postfix/system/update_postmaps (code=exited, status=0/SUCCESS)
Process: 1051 ExecStartPre=/etc/postfix/system/update_chroot (code=exited, status=0/SUCCESS)
Process: 1007 ExecStartPre=/etc/postfix/system/config_postfix (code=exited, status=0/SUCCESS)
Process: 992 ExecStartPre=/bin/echo Starting mail service (Postfix) (code=exited, status=0/SUCCESS)
Main PID: 1175 (master)
CGroup: /system.slice/postfix.service
├─ 1175 /usr/lib/postfix/master -w
├─ 1178 qmgr -l -t fifo -u
└─25344 pickup -l -t fifo -u
Jan 25 17:15:01 sles1201 echo[992]: Starting mail service (Postfix)
Jan 25 17:15:02 sles1201 postfix/postfix-script[1156]: warning: not owned by group maildrop:
/usr/sbin/postqueue
Jan 25 17:15:02 sles1201 postfix/postfix-script[1158]: warning: not owned by group maildrop:
/usr/sbin/postdrop
Jan 25 17:15:02 sles1201 postfix/postfix-script[1161]: warning: not set-gid or not owner+group+world
executable: /usr/sbin/postdrop
Jan 25 17:15:02 sles1201 postfix/postfix-script[1173]: starting the Postfix mail system
Jan 25 17:15:02 sles1201 postfix/master[1175]: daemon started -- version 2.11.0, configuration /etc/postfix
sles1201:~ #
60. 60
Managing remote machines
$ systemctl -H root@sles1201 status postfix.service
Host key fingerprint is bc:87:d7:c9:06:5f:16:1c:b2:e5:88:0f:8f:d7:f6:9d
+--[ECDSA 256]---+
| . o |
| w - B . |
| o o + |
| a . = . . |
| S o + = |
| o * = .o|
| o P * Eo|
| o . |
| |
+-----------------+
postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled)
Active: active (running) since Wed 2015-01-28 14:37:51 CET; 12h ago
Main PID: 1340
CGroup: /system.slice/postfix.service
61. 61
Resource Control
Limit Apache service
►default CPUShares = 1024
►temporarily:
systemctl set-property apache2.service CPUShares=612
MemoryLimit=500M
►permanently:
systemctl set-property --runtime apache2.service CPUShares=612
MemoryLimit=500M
or
“CPUShares = 612” in Unit File
See also
►man systemd.resource-control(5)
►man systemd-cgtop
►“systemd's Resource Control Concepts” [1]
[1] http://www.freedesktop.org/wiki/Software/systemd/ControlGroupInterface/
63. 63
Containers with systemd-nspawn
Similar to chroot, but:
►RO access to /sys, /proc/sys,
/sys/fs/selinux,
►No device files may be
created and
►No changes to network and
clock
... from within the
container
Demo:
►Bootstrap a new filesystem
►Add repositories
►Install a few packages
►Start container
systemd-nspawn may be used to run a command or OS in a light-weight
namespace container. (man systemd-nspawn)
64. 64
systemd-nspawn
Demo: bootstrap a new container
Bootstrap a new filesystem
zypper --root /vmstore/containers/os131/ addrepo
http://download.opensuse.org/distribution/13.1/repo/non-oss/ repo-oss
zypper --root /vmstore/containers/os131/ addrepo
http://download.opensuse.org/distribution/13.1/repo/non-oss/ repo-non-oss
zypper --root /vmstore/containers/os131/ refresh
Install a few packages
zypper --root /vmstore/containers/os131/ install
openSUSE-release-13.1-1.10.x86_64 bash iproute2 coreutils
Container size <60MB!
du -sm /vmstore/containers/os131/
56 /vmstore/containers/os131/
Start container
systemd-nspawn -D /vmstore/containers/os131/ /bin/bash
Spawning namespace container on /vmstore/containers/opensuse13.1 (console is
/dev/pts/8).
Init process in the container running as PID 26205.
Timezone Europe/Amsterdam does not exist in container, not updating container
timezone.
bash-4.2#
65. 65
Summary
● systemd introduces radical changes in the Linux boot
process
● Because of the richness of unit file vocabulary and
tools it can be overwhelming at first
● Transitioning to systemd is made easier by the
“compatibility” features
● by making clear choices and enforcing its standards
--for good or ill-- systemd will simplify things
● The adoption of systemd is already large and growing
67. Unpublished Work of SUSE. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE.
Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of
their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated,
abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making
purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document,
and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The
development, release, and timing of features or functionality described for SUSE products remains at the sole
discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at
any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in
this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All
third-party trademarks are the property of their respective owners.