Code Monkey home page Code Monkey logo

mariadb-podman-socket-activation's Introduction

mariadb-podman-socket-activation

Status: proof of concept experiment

A demo of a templated systemd user service that runs rootless Podman and starts MariaDB with systemd socket activation.

Introduction

Characteristics of using socket activation of containers with Podman

  • The podman run option --publish is not used
  • The communication over the established TCP connection will run at native speed. (Rootless Podman normally uses slirp4netns which comes with a performance penalty). See the Podman socket activation tutorial.
  • Possibility to use the podman run option --network=none to restrict internet access for the container. (A socket-activated TCP socket can still be used by the mariadb container). See the Podman socket activation tutorial and the blog post How to limit container privilege with socket activation
  • Possibility to use the systemd directive RestrictAddressFamilies to restrict general internet access for Podman (and its helper programs like conmon and the OCI runtime). See the blog post How to restrict network access in Podman with systemd.
  • The source IP address is preserved when using socket activation. In some network configurations when using rootless Podman that is not the case. See Podman GitHub discussion.

Requirements

  • podman 3.4.4 (or newer)
  • mariadb client (TODO: try to use a container instead)

Installation

Clone this repo

git clone URL
cd mariadb-podman-socket-activation

Create the systemd user configuration directory if it is not already present

mkdir -p ~/.config/systemd/user

Copy the systemd unit files to ~/.config/systemd/user

cp -r mariadb*@* ~/.config/systemd/user

Run

systemctl --user daemon-reload

Usage

Create a UNIX socket that activates a MariaDB instance

Create a UNIX socket from which the new MariaDB instance foobar will be started via socket activation:

systemctl --user start [email protected]

Note that there is no need to run systemctl --user start [email protected] because of the configured socket activation.

Connect to the new MariaDB instance foobar (type my as password to log in):

$ mariadb --socket ~/mariadb-socket.foobar -p -u example-user
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \q
Bye
$

The MariaDB instance used the bind-mounted directory ~/mariadb-data-unix.foobar/ to store its data:

$ ls -l ~/mariadb-data-unix.foobar/
total 123316
-rw-rw----. 1 esjolund esjolund    417792 Feb  8 18:04 aria_log.00000001
-rw-rw----. 1 esjolund esjolund        52 Feb  8 18:04 aria_log_control
-rw-rw----. 1 esjolund esjolund         9 Feb  8 18:04 ddl_recovery.log
-rw-rw----. 1 esjolund esjolund       946 Feb  8 18:04 ib_buffer_pool
-rw-rw----. 1 esjolund esjolund  12582912 Feb  8 18:04 ibdata1
-rw-rw----. 1 esjolund esjolund 100663296 Feb  8 18:07 ib_logfile0
-rw-rw----. 1 esjolund esjolund  12582912 Feb  8 18:04 ibtmp1
-rw-rw----. 1 esjolund esjolund         0 Feb  8 18:04 multi-master.info
drwx------. 2 esjolund esjolund      4096 Feb  8 18:04 mysql
drwx------. 2 esjolund esjolund        20 Feb  8 18:04 performance_schema
drwx------. 2 esjolund esjolund      8192 Feb  8 18:04 sys
$

Create a TCP socket that activates a MariaDB instance

Create a TCP socket from which the new MariaDB instance demo will be started via socket activation:

systemctl --user start [email protected]

The port number 8090 was specified in ~/.config/systemd/user/[email protected]/override.conf

Note that there is no need to run systemctl --user start [email protected] because of the configured socket activation.

Connect to the new MariaDB instance demo (type my as password to log in):

$ mariadb -h 127.0.0.1 --port 8090 -p -u example-user
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \q
Bye
$

The MariaDB instance used the bind-mounted directory ~/mariadb-data-tcp.demo/ to store its data:

$ ls -l ~/mariadb-data-tcp.demo/
total 123316
-rw-rw----. 1 esjolund esjolund    417792 Feb  8 21:13 aria_log.00000001
-rw-rw----. 1 esjolund esjolund        52 Feb  8 21:13 aria_log_control
-rw-rw----. 1 esjolund esjolund         9 Feb  8 21:13 ddl_recovery.log
-rw-rw----. 1 esjolund esjolund       946 Feb  8 21:13 ib_buffer_pool
-rw-rw----. 1 esjolund esjolund  12582912 Feb  8 21:13 ibdata1
-rw-rw----. 1 esjolund esjolund 100663296 Feb  8 21:17 ib_logfile0
-rw-rw----. 1 esjolund esjolund  12582912 Feb  8 21:13 ibtmp1
-rw-rw----. 1 esjolund esjolund         0 Feb  8 21:13 multi-master.info
drwx------. 2 esjolund esjolund      4096 Feb  8 21:13 mysql
drwx------. 2 esjolund esjolund        20 Feb  8 21:13 performance_schema
drwx------. 2 esjolund esjolund      8192 Feb  8 21:13 sys
$

mariadb-podman-socket-activation's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

grooverdan c-goes

mariadb-podman-socket-activation's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.