moby: Cannot run container with systemd in it on macOS

Hi,

I did a bit of research around this and, event though it looks like there is a way to work around this problem, this is not applicable to Docker users running it on macOS.

OS version:

macOS Sierra, 10.12.3

Docker version:

Client:
 Version:      1.13.0
 API version:  1.25
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Wed Jan 18 16:20:26 2017
 OS/Arch:      darwin/amd64

Server:
 Version:      1.13.0
 API version:  1.25 (minimum version 1.12)
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Wed Jan 18 16:20:26 2017
 OS/Arch:      linux/amd64
 Experimental: true

Command & error received:

$ systemctl daemon-reload
Failed to get D-Bus connection: Unknown error -1

How to reproduce:


host> docker run -ti --cap-add=SYS_ADMIN -e "container=docker" -v $PWD:/app debian:jessie /sbin/init

container> bash -c 'export DEBIAN_FRONTEND=noninteractive && \
         apt-get update && \
         apt-get install -qqy curl python build-essential python-dev libssl-dev

container> systemctl daemon-reload

Please let me know if you need anymore info. Thank you.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 4
  • Comments: 15 (6 by maintainers)

Commits related to this issue

Most upvoted comments

So far I’m satisfied with

$ docker run -d -e=container=docker --stop-signal=SIGRTMIN+3 --cap-add=SYS_ADMIN --security-opt=seccomp:unconfined -v /sys/fs/cgroup:/sys/fs/cgroup:ro centos:7 /sbin/init

You may want to do systemctl mask systemd-machine-id-commit https://bugzilla.redhat.com/show_bug.cgi?id=1472439

$ docker version
Client:
 Version:	17.12.0-ce
 API version:	1.35
 Go version:	go1.9.2
 Git commit:	c97c6d6
 Built:	Wed Dec 27 20:03:51 2017
 OS/Arch:	darwin/amd64

Server:
 Engine:
  Version:	17.12.0-ce
  API version:	1.35 (minimum version 1.12)
  Go version:	go1.9.2
  Git commit:	c97c6d6
  Built:	Wed Dec 27 20:12:29 2017
  OS/Arch:	linux/amd64
  Experimental:	true

$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.13.2
BuildVersion:	17C88
+13
nodakai on Feb 25, 2018

I was able to get systemd to work in a ubuntu:16.04 Docker container on a MacOS host by adding the following options to my docker-compose.yml.

    privileged: true
    cap_add:
      - SYS_ADMIN
    security_opt:
      - seccomp:unconfined
    tmpfs:
      - /run
      - /run/lock
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro

$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.13.3
BuildVersion:	17D47
$ docker version
Client:
 Version:	18.02.0-ce
 API version:	1.36
 Go version:	go1.9.3
 Git commit:	fc4de44
 Built:	Wed Feb  7 21:13:05 2018
 OS/Arch:	darwin/amd64
 Experimental:	true
 Orchestrator:	kubernetes

Server:
 Engine:
  Version:	18.02.0-ce
  API version:	1.36 (minimum version 1.12)
  Go version:	go1.9.3
  Git commit:	fc4de44
  Built:	Wed Feb  7 21:20:15 2018
  OS/Arch:	linux/amd64
  Experimental:	true

Hope this helps.

credit and references:

+12
tokyowizard on Feb 15, 2018

You need to least -v /sys/fs/cgroup:/sys/fs/cgroup:ro

I’m on OS X. There’s no such /sys/fs/cgroup I can mount a volume from.

+9
walterdolce on Feb 6, 2017

@justincormack to give you an update, by adding -v /sys/fs/cgroup:/sys/fs/cgroup:ro the container starts but then I get asked for login…

Full output of container launch follows:

> docker run -ti --cap-add=SYS_ADMIN -e "container=docker" -v /sys/fs/cgroup:/sys/fs/cgroup -v $PWD:/app debian:jessie /sbin/init

systemd 215 running in system mode. (+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR)
Detected virtualization 'other'.
Detected architecture 'x86-64'.

Welcome to Debian GNU/Linux 8 (jessie)!

Set hostname to <0a3a7c223f9b>.
Cannot add dependency job for unit dbus.socket, ignoring: Unit dbus.socket failed to load: No such file or directory.
Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory.
[  OK  ] Reached target Remote File Systems (Pre).
[  OK  ] Reached target Encrypted Volumes.
[  OK  ] Reached target Paths.
[  OK  ] Reached target Swap.
[  OK  ] Created slice Root Slice.
[  OK  ] Created slice User and Session Slice.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Listening on Journal Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Created slice System Slice.
[  OK  ] Created slice system-getty.slice.
         Starting Copy rules generated while the root was ro...
         Mounting FUSE Control File System...
         Mounting Huge Pages File System...
         Starting Journal Service...
[  OK  ] Started Journal Service.
[  OK  ] Reached target Slices.
         Starting Remount Root and Kernel File Systems...
[  OK  ] Mounted FUSE Control File System.
[  OK  ] Started Copy rules generated while the root was ro.
[  OK  ] Started Remount Root and Kernel File Systems.
         Starting Load/Save Random Seed...
[  OK  ] Reached target Local File Systems (Pre).
[  OK  ] Reached target Local File Systems.
[  OK  ] Reached target Remote File Systems.
         Starting Trigger Flushing of Journal to Persistent Storage...
         Starting Create Volatile Files and Directories...
[  OK  ] Mounted Huge Pages File System.
[  OK  ] Started Load/Save Random Seed.
[  OK  ] Started Trigger Flushing of Journal to Persistent Storage.
[  OK  ] Started Create Volatile Files and Directories.
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Reached target Timers.
[  OK  ] Reached target Basic System.
         Starting /etc/rc.local Compatibility...
         Starting Permit User Sessions...
         Starting Cleanup of Temporary Directories...
[  OK  ] Started /etc/rc.local Compatibility.
[  OK  ] Started Permit User Sessions.
         Starting Console Getty...
[  OK  ] Started Console Getty.
[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
[  OK  ] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Update UTMP about System Runlevel Changes.
[  OK  ] Started Cleanup of Temporary Directories.

Debian GNU/Linux 8 0a3a7c223f9b console

0a3a7c223f9b login:
+3
walterdolce on Feb 9, 2017

I’m able to remove the --security-opt=seccomp:unconfined flag now that there is a --tmpfs flag:

https://github.com/moby/moby/issues/9950#issuecomment-442713669

+2
tamsky on Nov 29, 2018

@walterdolce that will work on Docker for Mac, it only mounts the configured directories from the OSX host, all the rest are mounted from the VM.

+1
justincormack on Feb 6, 2017

This is not mac specific, you just have systemd configured incorrectly so it is trying to talk to host dbus (which does not exist, but it is a good thing as this would be messing with host system), and you are missing some tmpfs mounts and various other things it needs to run.

You need to least -v /sys/fs/cgroup:/sys/fs/cgroup:ro; I think you need a few more tmpfs mounts, will try to find the docs.

+1
justincormack on Feb 6, 2017
Read more comments on GitHub
← moby: Cannot run any container after install
moby: Cannot run hello-world container on Raspberry Pi 3 model B →