alexvanin/distribution
1
0
Fork 0
forked from TrueCloudLab/distribution
Code Pull requests Activity
distribution/docs/recipes/systemd.md

106 lines
3 KiB
Markdown
Raw Normal View History

Add documentation for socket activation Signed-off-by: Geoffrey Hausheer <rc2012@pblue.org>
2023-08-27 17:12:07 +00:00
---
description: Using systemd to manage registry container
keywords: registry, on-prem, systemd, socket-activated, recipe, advanced
title: Start registry via systemd
---
## Use-case
Using systemd to manage containers can make service discovery and maintenance easier
by managining all services in the same way. Additionally, when using Podman, systemd
can start the registry with socket-activation, providing additional security options:
* Run as non-root and expose on a low-numbered socket (< 1024)
* Run with `--network=none`
### Docker
When deploying the registry via Docker, a simple service file can be used to manage
the registry:
registry.service
```
[Unit]
Description=Docker registry
After=docker.service
Requires=docker.service
[Service]
#TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStart=/usr/bin/docker run --name %N \
-v registry:/var/lib/registry \
-p 5000:5000 \
registry:2
[Install]
WantedBy=multi-user.target
```
In this case, the registry will store images in the named-volume `registry`.
Note that the container is destroyed on restart instead of using `--rm` or
destroy on stop. This is done to make accessing `docker logs ...` easier in
the case of issues.
### Podman
Podman offers tighter integration with systemd than Docker does, and supports
socket-activation of containers.
#### Create service file
```
podman create --name registry --network=none -v registry:/var/lib/registry registry:2
podman generate systemd --name --new registry > registry.service
```
#### Create socket file
registry.socket
```
[Unit]
Description=container registry
[Socket]
ListenStream=5000
[Install]
WantedBy=sockets.target
```
### Installation
Installation can be either rootful or rootless. For Docker, rootless configurations
often include additional setup steps that are beyond the scope of this recipe, whereas
for Podman, rootless containers generally work out of the box.
#### Rootful
Run as root:
* Copy registry.service (and registry.socket if relevant) to /etc/systemd/service/
* Run `systemctl daemon-reload`
* Enable the service:
* When using socket activation: `systemctl enable registry.socket`
* When **not** using socket activation: `systemctl enable registry.service`
* Start the service:
* When using socket activation: `systemctl start registry.socket`
* When **not** using socket activation: `systemctl start registry.service`
#### Rootless
Run as the target user:
* Copy registry.service (and registry.socket if relevant) to ~/.config/systemd/user/
* Run `systemctl --user daemon-reload`
* Enable the service:
* When using socket activation: `systemctl --user enable registry.socket`
* When **not** using socket activation: `systemctl --user enable registry.service`
* Start the service:
* When using socket activation: `systemctl --user start registry.socket`
* When **not** using socket activation: `systemctl --user start registry.service`
**Note**: To have rootless services start on boot, it may be necessary to enable linger
via `loginctl enable-linger $USER`.
Copy permalink