podman: podman does not detect systemd entrypoints when prefixed with /bin/sh

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

/kind feature

Description

Podman automatically detects whether a container is launching systemd as it’s CMD or ENTRYPOINT. Unfortunately this logic only works when systemd is added as CMD ["/usr/lib/systemd/systemd"]. If you add it via CMD /usr/lib/systemd/systemd then podman will fail to launch it without the --systemd=always flag.

Steps to reproduce the issue:

  1. Create the following Dockerfile:
FROM registry.fedoraproject.org/fedora:latest
RUN dnf -y install systemd
CMD ["/usr/lib/systemd/systemd"]

  1. build it via buildah bud --layers . and launch the container via podman run --rm -it $HASH, which should work

  2. Change the Dockerfile to:

FROM registry.fedoraproject.org/fedora:latest
RUN dnf -y install systemd
CMD /usr/lib/systemd/systemd
  1. Rebuild via buildah bud --layers . and launch the container via podman run --rm -it $HASH which will fail with:
🕙[ 16:43:33 ] ❯ podman run --rm -it $HASH
Failed to mount tmpfs at /run: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

but if you add the --systemd=always flag, then the container works.

The issue here is that in the 2nd Dockerfile results in the following command that can be found via `podman inspect:

        "Config": {
            "Cmd": [
                "/bin/sh",
                "-c",
                "/usr/lib/systemd/systemd"
            ]
         }

whereas the first one results in:

        "Config": {
            "Cmd": [
                "/usr/lib/systemd/systemd"
            ]
         }

But podman only recognizes the latter as a systemd container.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 4.0.0-dev

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.24.2
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-2.fc35.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: '
  cpus: 12
  distribution:
    distribution: fedora
    version: "35"
  eventLogger: journald
  hostname: Boreas
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
    - container_id: 65537
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
    - container_id: 65537
      host_id: 100000
      size: 65536
  kernel: 5.16.9-200.fc35.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2967023616
  memTotal: 33319424000
  networkBackend: cni
  ociRuntime:
    name: crun
    package: crun-1.4.2-1.fc35.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.2
      commit: f6fbc8f840df1a414f31a60953ae514fa497c748
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 8566222848
  swapTotal: 8589930496
  uptime: 65h 9m 48.74s (Approximately 2.71 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/dan/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.7.1-2.fc35.x86_64
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /home/dan/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1283
  runRoot: /run/user/1000/containers
  volumePath: /home/dan/.local/share/containers/storage/volumes
version:
  APIVersion: 4.0.0-dev
  Built: 1645632321
  BuiltTime: Wed Feb 23 17:05:21 2022
  GitCommit: d3699bbce63f283a609053d4aca23e4abe7dae4d
  GoVersion: go1.18beta1
  OsArch: linux/amd64
  Version: 4.0.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

build from main and podman-3.4.4-1.fc35.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (12 by maintainers)

Commits related to this issue

Most upvoted comments

you could override the --entrypoint or just force --systemd=always. I don’t think we should try to detect the sh -c /usr/lib/systemd/systemd case

+1
giuseppe on Feb 24, 2022
Read more comments on GitHub
← podman: Podman dies during interactive session exec due to disconnect
podman: podman does not start container with CMD or ENTRYPOINT →