Serverless is an event-driven computing paradigm where applications are allocated dynamically to serve a request or consume events. When the application is not in use, there are no computing resources allocated.
The serverless ecosystem offers a large number of runtimes, which start/stop/monitor software (e.g., Knative, Kubeless and many others). They come with different features, and they can trigger applications based on different kind of events (e.g., HTTP requests, messages, etc.).
Even if systemd cannot be considered a real serverless runtime, the socket activation feature provides a foundation for a serverless architecture.
Socket activation
The concept of systemd socket activation is that the socket is created by systemd, when a connection is received on such socket the application is activated. The application must be prepared to receive an already-initialized socket instead of creating a new one, for this reason not all applications can natively support socket activation.
To overcome this limitation, systemd provides a proxy supporting the socket activation and is capable of forwarding the connection to another socket.
The proxy
Recently (in version 209) systemd introduced a new tool named systemd-socket-proxyd
. This is a handy tool that can be used with applications not supporting socket activation.
systemd-socket-proxyd is a proxy supporting socket activation that can be used to bi-directionally forward traffic from a socket inherited from systemd to another unix or network socket.
From the main page of systemd-socket-proxyd
: One use of this tool is to provide socket activation support for services that do not natively support socket activation. On behalf of the service to activate, the proxy inherits the socket from systemd, accepts each client connection, opens a connection to a configured server for each client, and then bidirectionally forwards data between the two.
Since Podman does not support socket activation natively, systemd-socket-proxyd
can be used as a sort of wrapper to intercept the socket activation and spin up a container.
The idea
Let's use a system with IP address 172.16.18.70
as an example. On this system we want to activate a rootless container running an httpd server exposing the HTTP service on port 8080
.
Basically the flow is:
- systemd creates the TCP socket listening on 172.16.18.70:8080
using a .socket
unit.
- Once the TCP socket is hit by a connection, the corresponding .service
unit is activated. This service unit executes systemd-socket-proxyd
and requires another .service
unit that starts the container.
Why Podman?
Podman plays very well with systemd: here is a great video showing how podman can integrate with systemd to easily manage containerized services.
Podman can run rootless containers, and this post provides an overview of the advantages of rootless containers.
Let's do it
The following procedure has been tested on a Fedora 33 with systemd 246 and podman 2.2.1. The auto scale-down feature requires systemd 246, so it will not work on RHEL 8. However it's still worth understanding for future versions of RHEL.
As a first step we create the web server document root on the host and we put some dummy content:
$ mkdir -p ~/www-data ; echo "Hello World" > ~/www-data/index.html
At this point we can create the httpd
container. Please note that is exposing the port 8080
bound to the 127.0.0.1
address, and this is important to avoid conflicts with the systemd socket listening on the same port but on a different address.
$ podman pull registry.redhat.io/rhel8/httpd-24 $ podman create --name httpd -p 127.0.0.1:8080:8080 \ -v ~/www-data:/var/www/html/:Z registry.redhat.io/rhel8/httpd-24
In order to define a user service we must create the systemd user units directory. From now we will work inside this directory:
$ mkdir -p ~/.config/systemd/user && cd ~/.config/systemd/user
As anticipated, podman can create the systemd unit files to manage the container, let's do it:
$ podman generate systemd -f -n httpd --new
The previous command generated a systemd unit file named container-httpd.service
.
By default this unit file has an [Install]
section that we don't need because the unit file should not be installed but activated only on-demand.
So we should edit the file and completely remove the [Install]
section and all the contained directives.
Now we are ready to create the systemd socket, for that purpose we create an unit file named container-httpd-proxy.socket
:
$ cat << EOF > container-httpd-proxy.socket [Socket] ListenStream=172.16.18.70:8080 [Install] WantedBy=sockets.target EOF
Please note that the socket is listening on 127.16.18.70:8080
. Leaving just the port number without the address will lead to a conflict with the container needing to open the port 8080
.
At this point, we are ready to create the proxy service running systemd-socket-proxyd
:
$ cat << EOF > container-httpd-proxy.service [Unit] Requires=container-httpd.service After=container-httpd.service Requires=container-httpd-proxy.socket After=container-httpd-proxy.socket [Service] ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:8080 EOF
Since this will be the unit activated by the socket, it is important to name this unit the same as the socket.
As you can see, the systemd-socket-proxyd
forwards the connection to 127.0.0.1:8080
where the container is listening.
The other fundamental bit of this file is the Requires=container-httpd.service
which is triggering the podman container when the unit is activated.
Here we are now ready to activate the socket unit, which is the only unit file that must be enabled at the start-up:
$ systemctl --user daemon-reload $ systemctl --user enable --now container-httpd-proxy.socket $ # let's check if the socket is open: $ netstat -ltpn | grep 8080
Test it
After creating the systemd unit files and activating the socket, we should have a TCP socket listening on the 172.16.18.70:8080
address and the container httpd
should not be running.
Now sending an HTTP request to http://172.16.18.70:8080
should trigger the container start:
$ curl http://172.16.18.70:8080 Hello World $ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c0cbdafc54ae registry.redhat.io/rhel8/httpd-24 /usr/bin/run-http... 9 seconds ago Up 8 seconds ago 127.0.0.1:8080->8080/tcp httpd
Auto scale-down
With that, the container is started at the first request but is never terminated.
To avoid unneeded resource usage the container should be stopped when not in use.
To achieve that, there is a couple of useful features:
- systemd-socket-proxyd --exit-idle-time
: permits to define a timeout to terminate in case of no connections. This command switch has been introduced in version 246.
- adding StopWhenUnneeded=yes
to the container-httpd.service
unit will stop the container when the proxy unit is terminated.
Putting all together
Let’s have a look to all the systemd units:
$ systemctl --user cat --no-pager container-httpd-proxy.socket [Socket] ListenStream=172.16.18.70:8080 [Install] WantedBy=sockets.target
$ systemctl --user cat --no-pager container-httpd-proxy.service [Unit] Requires=container-httpd.service After=container-httpd.service Requires=container-httpd-proxy.socket After=container-httpd-proxy.socket [Service] ExecStart=/usr/lib/systemd/systemd-socket-proxyd --exit-idle-time=30s 127.0.0.1:8080
$ systemctl --user cat --no-pager container-httpd.service [Unit] Description=Podman container-httpd.service Documentation=man:podman-generate-systemd(1) Wants=network.target After=network-online.target StopWhenUnneeded=yes [Service] Environment=PODMAN_SYSTEMD_UNIT=%n Restart=on-failure ExecStartPre=/bin/rm -f %t/container-httpd.pid %t/container-httpd.ctr-id ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-httpd.pid --cidfile %t/container-httpd.ctr-id --cgroups=no-conmon -d --replace --name httpd -p 127.0.0.1:8080:8080 -v ${HOME}/www-data:/var/www/html/:Z registry.redhat.io/rhel8/httpd-24 ExecStartPost=/bin/sleep 1 ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-httpd.ctr-id -t 10 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-httpd.ctr-id PIDFile=%t/container-httpd.pid KillMode=none Type=forking
$ systemctl --user list-unit-files | grep container-httpd container-httpd-proxy.service static - container-httpd.service static - container-httpd-proxy.socket enabled disabled
Systemd opened the socket 172.16.18.70:8080
:
$ netstat -ltpn | grep 8080 tcp 0 0 172.16.18.70:8080 0.0.0.0:* LISTEN 12298/systemd
The `httpd
` container is not running:
$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Let’s send an HTTP request:
$ curl http://172.16.18.70:8080 Hello World
The request has been answered and the httpd
container is started:
$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8487372aaadd registry.redhat.io/rhel8/httpd-24 /usr/bin/run-http... 7 seconds ago Up 6 seconds ago 127.0.0.1:8080->8080/tcp httpd
Let’s wait 30 seconds and check if the container is stopped:
$ sleep 30 && podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
As we can see the container is not running anymore. Sending another request will trigger a new start of the container:
$ curl http://172.16.18.70:8080 Hello World $ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ebede0c85103 registry.redhat.io/rhel8/httpd-24 /usr/bin/run-http... 4 seconds ago Up 3 seconds ago 127.0.0.1:8080->8080/tcp httpd
Conclusion
Systemd and Podman can work very well together and thanks to the socket activation when a container is not serving any request can be stopped without keeping resources allocated.
Sull'autore
Pietro Bertera is a Senior Technical Account Manager working with Red Hat OpenShift. He is based in Italy.
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit