patterndockerMinor
Is there any concrete and acceptable solution for running systemd inside the docker container?
Viewed 0 times
systemdthesolutioncontainerdockerconcreteanyrunningforand
Problem
I have seen many workarounds for this to run systemd inside docker containers but looks like most of them compromise the security of the container and the host. How are most people here dealing with running systemd specific stuff inside the container.
Solution
You didn't mention what distribution you're using inside your container (which would have implications w/r/t which version of systemd you're using), but the following will successfully boot a CentOS container running systemd:
This is with Docker 17.05.0-ce; older versions may require additional flags. Using a stock
And:
Note that I'm using
but looks like most of them compromise the security of the container and the host
Well, running systemd does require privileges beyond those granted to a typical Docker container (hence the
docker run -it --rm \
-e container=docker \
--tmpfs /run \
--tmpfs /tmp \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--cap-add SYS_ADMIN \
centos /sbin/initThis is with Docker 17.05.0-ce; older versions may require additional flags. Using a stock
centos:7 image, your initial environment inside the container looks like this:# systemctl status
State: running
Jobs: 0 queued
Failed: 0 units
Since: Mon 2017-12-04 17:47:15 UTC; 45s ago
[...]And:
# ps -fe
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 17:47 ? 00:00:00 /sbin/init
root 16 1 0 17:47 ? 00:00:00 /usr/lib/systemd/systemd-journald
dbus 26 1 0 17:47 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 28 1 0 17:47 ? 00:00:00 /usr/lib/systemd/systemd-logind
root 30 1 0 17:47 console 00:00:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root 32 0 0 17:47 ? 00:00:00 bash
root 58 32 0 17:48 ? 00:00:00 ps -feNote that I'm using
--rm here not because it's necessary but because I'm terrible at cleaning things up after the fact. It's not necessary to get the container to run.but looks like most of them compromise the security of the container and the host
Well, running systemd does require privileges beyond those granted to a typical Docker container (hence the
--cap-add). Whether this has security implications for your environment or not depends on what you're doing.Code Snippets
docker run -it --rm \
-e container=docker \
--tmpfs /run \
--tmpfs /tmp \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--cap-add SYS_ADMIN \
centos /sbin/init# systemctl status
State: running
Jobs: 0 queued
Failed: 0 units
Since: Mon 2017-12-04 17:47:15 UTC; 45s ago
[...]# ps -fe
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 17:47 ? 00:00:00 /sbin/init
root 16 1 0 17:47 ? 00:00:00 /usr/lib/systemd/systemd-journald
dbus 26 1 0 17:47 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 28 1 0 17:47 ? 00:00:00 /usr/lib/systemd/systemd-logind
root 30 1 0 17:47 console 00:00:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root 32 0 0 17:47 ? 00:00:00 bash
root 58 32 0 17:48 ? 00:00:00 ps -feContext
StackExchange DevOps Q#1635, answer score: 6
Revisions (0)
No revisions yet.