Status: proof of concept experiment
A demo of a templated systemd user service that runs rootless Podman and starts MariaDB with systemd socket activation.
Characteristics of using socket activation of containers with Podman
- The
podman run
option --publish is not used - The communication over the established TCP connection will run at native speed. (Rootless Podman normally uses slirp4netns which comes with a performance penalty). See the Podman socket activation tutorial.
- Possibility to use the
podman run
option --network=none to restrict internet access for the container. (A socket-activated TCP socket can still be used by the mariadb container). See the Podman socket activation tutorial and the blog post How to limit container privilege with socket activation - Possibility to use the systemd directive
RestrictAddressFamilies
to restrict general internet access for Podman (and its helper programs like conmon and the OCI runtime). See the blog post How to restrict network access in Podman with systemd. - The source IP address is preserved when using socket activation. In some network configurations when using rootless Podman that is not the case. See Podman GitHub discussion.
- podman 3.4.4 (or newer)
- mariadb client (TODO: try to use a container instead)
Clone this repo
git clone URL
cd mariadb-podman-socket-activation
Create the systemd user configuration directory if it is not already present
mkdir -p ~/.config/systemd/user
Copy the systemd unit files to ~/.config/systemd/user
cp -r mariadb*@* ~/.config/systemd/user
Run
systemctl --user daemon-reload
Create a UNIX socket from which the new MariaDB instance foobar will be started via socket activation:
systemctl --user start mariadb-unix@foobar.socket
Note that there is no need to run systemctl --user start mariadb-unix@foobar.service
because of the configured socket activation.
Connect to the new MariaDB instance foobar
(type my
as password to log in):
$ mariadb --socket ~/mariadb-socket.foobar -p -u example-user
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \q
Bye
$
The MariaDB instance used the bind-mounted directory ~/mariadb-data-unix.foobar/ to store its data:
$ ls -l ~/mariadb-data-unix.foobar/
total 123316
-rw-rw----. 1 esjolund esjolund 417792 Feb 8 18:04 aria_log.00000001
-rw-rw----. 1 esjolund esjolund 52 Feb 8 18:04 aria_log_control
-rw-rw----. 1 esjolund esjolund 9 Feb 8 18:04 ddl_recovery.log
-rw-rw----. 1 esjolund esjolund 946 Feb 8 18:04 ib_buffer_pool
-rw-rw----. 1 esjolund esjolund 12582912 Feb 8 18:04 ibdata1
-rw-rw----. 1 esjolund esjolund 100663296 Feb 8 18:07 ib_logfile0
-rw-rw----. 1 esjolund esjolund 12582912 Feb 8 18:04 ibtmp1
-rw-rw----. 1 esjolund esjolund 0 Feb 8 18:04 multi-master.info
drwx------. 2 esjolund esjolund 4096 Feb 8 18:04 mysql
drwx------. 2 esjolund esjolund 20 Feb 8 18:04 performance_schema
drwx------. 2 esjolund esjolund 8192 Feb 8 18:04 sys
$
Create a TCP socket from which the new MariaDB instance demo will be started via socket activation:
systemctl --user start mariadb-tcp@demo.socket
The port number 8090 was specified in ~/.config/systemd/user/mariadb-tcp@demo.socket.d/override.conf
Note that there is no need to run systemctl --user start mariadb-tcp@foobar.service
because of the configured socket activation.
Connect to the new MariaDB instance demo
(type my
as password to log in):
$ mariadb -h 127.0.0.1 --port 8090 -p -u example-user
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \q
Bye
$
The MariaDB instance used the bind-mounted directory ~/mariadb-data-tcp.demo/ to store its data:
$ ls -l ~/mariadb-data-tcp.demo/
total 123316
-rw-rw----. 1 esjolund esjolund 417792 Feb 8 21:13 aria_log.00000001
-rw-rw----. 1 esjolund esjolund 52 Feb 8 21:13 aria_log_control
-rw-rw----. 1 esjolund esjolund 9 Feb 8 21:13 ddl_recovery.log
-rw-rw----. 1 esjolund esjolund 946 Feb 8 21:13 ib_buffer_pool
-rw-rw----. 1 esjolund esjolund 12582912 Feb 8 21:13 ibdata1
-rw-rw----. 1 esjolund esjolund 100663296 Feb 8 21:17 ib_logfile0
-rw-rw----. 1 esjolund esjolund 12582912 Feb 8 21:13 ibtmp1
-rw-rw----. 1 esjolund esjolund 0 Feb 8 21:13 multi-master.info
drwx------. 2 esjolund esjolund 4096 Feb 8 21:13 mysql
drwx------. 2 esjolund esjolund 20 Feb 8 21:13 performance_schema
drwx------. 2 esjolund esjolund 8192 Feb 8 21:13 sys
$