HiveBrain v1.2.0
Get Started
← Back to all entries
patterndockerMinor

Is there any concrete and acceptable solution for running systemd inside the docker container?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
systemdthesolutioncontainerdockerconcreteanyrunningforand

Problem

I have seen many workarounds for this to run systemd inside docker containers but looks like most of them compromise the security of the container and the host. How are most people here dealing with running systemd specific stuff inside the container.

Solution

You didn't mention what distribution you're using inside your container (which would have implications w/r/t which version of systemd you're using), but the following will successfully boot a CentOS container running systemd:

docker run -it --rm \
  -e container=docker \
  --tmpfs /run \
  --tmpfs /tmp \
  -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
  --cap-add SYS_ADMIN \
  centos /sbin/init


This is with Docker 17.05.0-ce; older versions may require additional flags. Using a stock centos:7 image, your initial environment inside the container looks like this:

# systemctl status
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Mon 2017-12-04 17:47:15 UTC; 45s ago
[...]


And:

# ps -fe
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 17:47 ?        00:00:00 /sbin/init
root        16     1  0 17:47 ?        00:00:00 /usr/lib/systemd/systemd-journald
dbus        26     1  0 17:47 ?        00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root        28     1  0 17:47 ?        00:00:00 /usr/lib/systemd/systemd-logind
root        30     1  0 17:47 console  00:00:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root        32     0  0 17:47 ?        00:00:00 bash
root        58    32  0 17:48 ?        00:00:00 ps -fe


Note that I'm using --rm here not because it's necessary but because I'm terrible at cleaning things up after the fact. It's not necessary to get the container to run.


but looks like most of them compromise the security of the container and the host

Well, running systemd does require privileges beyond those granted to a typical Docker container (hence the --cap-add). Whether this has security implications for your environment or not depends on what you're doing.

Code Snippets

docker run -it --rm \
  -e container=docker \
  --tmpfs /run \
  --tmpfs /tmp \
  -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
  --cap-add SYS_ADMIN \
  centos /sbin/init
# systemctl status
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Mon 2017-12-04 17:47:15 UTC; 45s ago
[...]
# ps -fe
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 17:47 ?        00:00:00 /sbin/init
root        16     1  0 17:47 ?        00:00:00 /usr/lib/systemd/systemd-journald
dbus        26     1  0 17:47 ?        00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root        28     1  0 17:47 ?        00:00:00 /usr/lib/systemd/systemd-logind
root        30     1  0 17:47 console  00:00:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root        32     0  0 17:47 ?        00:00:00 bash
root        58    32  0 17:48 ?        00:00:00 ps -fe

Context

StackExchange DevOps Q#1635, answer score: 6

Revisions (0)

No revisions yet.