Isolating the JetStream server process (Linux only)

In addition to sandboxing, the JetStream server process can be completely isolated from the host operating system. In order to run the JetStream server like this, you have two options:

  • the classic chroot(2) environment
  • a lightweight namespace container

This guide will cover integration and control of JetStream running in chroot or a lightweight container, but setup of each container system is out of scope of this guide. To create the chroot and container environments, please refer to your OS documentation, or the guides below:

Note

You should not modify the JetStream Systemd unit files directly, as future updates may replace them.

When you customize the unit files, use the systemctl edit jetstream-server. It will open an editor with an override file, where you can override or add any parameters necessary. This override will remain persistent over JetStream server updates.

To see the whole unit file as processed by the system, execute systemctl cat jetstream-server.

Start JetStream in a chroot environment

Using this method, you will need to install JetStream in the chroot, but all the JetStream configuration (in /etc/) will be done on the host system. To use triggers, you will need to install all dependencies in the chroot environment.

  1. Create a chroot environment. For this example, we’ll assume it was created in /srv/chroot/jetstream-server.

  2. Update the systemd unit file with the configuration below (see note at the top of this document: use systemctl edit jetstream-server).

    [Service]
    RootDirectory=/srv/chroot/jetstream
    
  3. Update systemd daemon files: systemctl daemon-reload

  4. Restart the Jetsream server from chroot: systemctl restart jetstream-server. JetStream should now be running from the chroot environment in /srv/chroot/jetstream-server.

Start JetStream in a lightweight container

There are two ways of doing this: booting the lightweight container, or running JetStream server as a standalone process in the container. The configuration differences are outlined in step 2 below.

Please note that JetStream will need to be fully installed in the lightweight container. Additionally, the host system will require the systemd unit files, which you can either copy from the container (/lib/systemd/system/jetstream-server.service), or you can install JetStream server on the host system as well.

  1. Create a lightweight container. For this example, we’ll assume it was created in /var/lib/machines/jetstream-server.

  2. Update the systemd unit file with the configuration below (see note at the top of this document: use systemctl edit jetstream-server). This example assumes you want to map the /home directory into the container.

    For booting a lightweight container, use the following systemd override:

    [Service]
    ExecStart=
    ExecStart=/usr/bin/systemd-nspawn -jbD /var/lib/machines/jetstream-server -bind=/home:/home --machine-name jetstream-server
    KillMode=process
    

    For running jetstream as a standalone process in a container, use the following systemd override:

    [Service]
    ExecStart=
    ExecStart=/usr/bin/systemd-nspawn -jD /var/lib/machines/jetstream-server -bind=/home:/home --machine-name jetstream-server /usr/bin/stdbuf -oL -eL /usr/local/bin/jetstream server @/etc/jetstream-server.rsp
    KillMode=process
    
  3. Update systemd daemon files: systemctl daemon-reload

  4. Restart Jetsream server from chroot: systemctl restart jetstream-server. JetStream should now be running from the container in /var/lib/machines/jetstream-server.