Richard Bucker

Clear Linux Systemd Nspawn Containers of Self

Posted at — May 17, 2020

ClearLinux (server) boots in about 1-2 seconds… and I can ssh into my instance in just a few seconds. The Intel team deploys about 9 new releases a week and they try to patch all CVEs within 24 hours of being reported. ClerLinux takes the approach that when things go wrong if you merely delete the contents of the /var and the /etc folders you’ll have the equivalent of a fresh install. A pretty novel idea. The same can be said for the package manager and how they implement package updates. (go watch a video)

Mission

I want to be able to boot ClearLinux as a container/VM in ClearLinux with as much security and best practices as possible.

First Steps

I’m not going to explain all of these steps as I think they are pretty simple.

At this point if something goes horribly wrong then reboot the machine. I’ve experienced a few lockups that were resolved with a reboot. Once you are happy that everything is safe… you will need to enable the systemd modules. This way they will restart after a reboot.

Note: the network configuration for both the host and container are here on both systems: /usr/lib/systemd/systemd-networkd

Boot

This link to a doc enable container on boot should help some as it relates to systemd-nspawn but I have not folded that in yet.

Where are the images

Originally I thought nspawn would have used a folder and splayed out the contents of the image file… but then it all came rushing back that even tools like qemu uses image files that are essentially recursively mounted. MEH that’s ok. I still have not determined how my application install is going to work but I’m close.

One thing to consider is that I can bind mount a host path to the container. I’m not quite sure if this is a good idea or if packaging a bundle and executing a shell command is better.

Things to learn

Well, at this point my container can talk to the host and vice-versa. But that’s as far as it goes. There are two networking models

Other ideas

I need to do some reading on upstream packaging, mixins and bundles. Somewhere in here I want to be able to package my dependencies and my projects in a way that conforms to the ClearLinux architecture.

More to come.