rkt: investigate container socket activation about rkt HOT 2 CLOSED

systemd-nspawn recognizes the LISTEN_FDS environment variable and propagates it down to the container intact.

The interesting part is what systemd does with the inherited file descriptors in stage1 post-nspawn, LISTEN_FDS is not utilized. At an early stage systemd will try match all open files found in /proc/self/fd to available unit files. If any of the fds match socket units then those socket units will utilize the inherited fds rather than attempting to bind again. Emphasis is placed on early because in our minimal rocket rootfs where we only have a default.target, the appropriate place to integrate sockets.target is not obvious. Adding Requires/After sockets.target to default.target in ineffective.

This is because there are a limited set of units integrated at the pre-distribute-open-fds phase of startup:
-.mount
local-fs.target
proc-sys-kernel-random-boot_id.mount
umount.target
system.slice
-.slice
shutdown.target
systemd-journald.socket
local-fs-pre.target

Note default.target, basic.target, and sysinit.target are not included as one might expect. It is in the transition out of this phase that default.target becomes loaded, but that is after the open fd distribution has occurred.

In order to get socket activation working with the current minimal rocket rootfs one can add a local-fs.target like so:
[Unit]
Description=Hook into early systemd for socket activation
DefaultDependencies=false
Requires=sockets.target

Then add a sockets.target and simply link the appropriate .socket files into the sockets.target.wants directory.

from rkt.

As of v0.8, this is now possible and documented: #1211

from rkt.