Isolating the JetStream server process (Linux only)¶
In addition to sandboxing, the JetStream server process can be completely isolated from the host operating system. In order to run the JetStream server like this, you have two options:
the classic chroot(2) environment
a lightweight namespace container
This guide will cover integration and control of JetStream running in chroot or a lightweight container, but setup of each container system is out of scope of this guide. To create the chroot and container environments, please refer to your OS documentation, or the guides below:
CentOS 7: yum -y --releasever=7 --nogpg --installroot=/srv/chroot/jetstream-server install systemd passwd yum fedora-release vim-minimal. Follow the first three steps of https://drewstud.com/centos/systemd/nspawn/systemd-nspawn/centos7/containers/2015/04/18/systemd-nspawn-centos-7.html or see the yum man page http://www.unix.com/man-page/centos/8/yum/.
Ubuntu 18.04: sudo debootstrap --arch=amd64 sid /srv/chroot/jetstream-server http://ftp.debian.org/debian/. Refer to https://help.ubuntu.com/community/DebootstrapChroot.
Note
You should not modify the JetStream Systemd unit files directly, as future updates may replace them.
When you customize the unit files, use the systemctl edit jetstream-server. It will open an editor with an override file, where you can override or add any parameters necessary. This override will remain persistent over JetStream server updates.
To see the whole unit file as processed by the system, execute systemctl cat jetstream-server.
Start JetStream in a chroot environment¶
Using this method, you will need to install JetStream in the chroot, but all the JetStream configuration (in /etc/
) will be done on the host system. To use triggers, you will need to install all dependencies in the chroot environment.
Create a chroot environment. For this example, we’ll assume it was created in
/srv/chroot/jetstream-server
.Update the systemd unit file with the configuration below (see note at the top of this document: use systemctl edit jetstream-server).
[Service] RootDirectory=/srv/chroot/jetstream
Update systemd daemon files: systemctl daemon-reload
Restart the Jetsream server from chroot: systemctl restart jetstream-server. JetStream should now be running from the chroot environment in
/srv/chroot/jetstream-server
.
Start JetStream in a lightweight container¶
There are two ways of doing this: booting the lightweight container, or running JetStream server as a standalone process in the container. The configuration differences are outlined in step 2 below.
Please note that JetStream will need to be fully installed in the lightweight container. Additionally, the host system will require the systemd
unit files, which you can either copy from the container (/lib/systemd/system/jetstream-server.service
), or you can install JetStream server on the host system as well.
Create a lightweight container. For this example, we’ll assume it was created in
/var/lib/machines/jetstream-server
.Update the systemd unit file with the configuration below (see note at the top of this document: use systemctl edit jetstream-server). This example assumes you want to map the
/home
directory into the container.For booting a lightweight container, use the following systemd override:
[Service] ExecStart= ExecStart=/usr/bin/systemd-nspawn -jbD /var/lib/machines/jetstream-server -bind=/home:/home --machine-name jetstream-server KillMode=process
For running jetstream as a standalone process in a container, use the following systemd override:
[Service] ExecStart= ExecStart=/usr/bin/systemd-nspawn -jD /var/lib/machines/jetstream-server -bind=/home:/home --machine-name jetstream-server /usr/bin/stdbuf -oL -eL /usr/local/bin/jetstream server @/etc/jetstream-server.rsp KillMode=process
Update systemd daemon files: systemctl daemon-reload
Restart Jetsream server from chroot: systemctl restart jetstream-server. JetStream should now be running from the container in
/var/lib/machines/jetstream-server
.