moby: ISSUE: Can't get systemd to run with 1.11
I’ve been running a few hundred containers with systemd in them since 1.7. The flags required has changed a little bit. In 1.10 I was adding --cap-add=SYS_ADMIN
, --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro
, and --security-opt=seccomp:unconfined
.
With the same flags, it doesn’t work in 1.11.
With --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --privileged
it works.
With --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --security-opt=seccomp:unconfined
it does not work.
Here’s a dump of the system:
root@Ubuntu-1510-wily-64-minimal ~ # docker info
Containers: 102
Running: 75
Paused: 0
Stopped: 27
Images: 59
Server Version: 1.11.0
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 352
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 4.2.0-35-generic
Operating System: Ubuntu 15.10
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 125.9 GiB
Name: Ubuntu-1510-wily-64-minimal
ID: L6PF:6LTG:FHIZ:NBPC:CJSO:XXQ3:7KIV:ZVQF:C7LA:3NNG:XU3C:O6OT
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): true
File Descriptors: 243
Goroutines: 431
System Time: 2016-04-25T04:35:08.881928707+02:00
EventsListeners: 0
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
root@Ubuntu-1510-wily-64-minimal ~ # docker version
Client:
Version: 1.11.0
API version: 1.23
Go version: go1.5.4
Git commit: 4dc5990
Built: Wed Apr 13 18:38:59 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.0
API version: 1.23
Go version: go1.5.4
Git commit: 4dc5990
Built: Wed Apr 13 18:38:59 2016
OS/Arch: linux/amd64
root@Ubuntu-1510-wily-64-minimal ~ # uname -a
Linux Ubuntu-1510-wily-64-minimal 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Thanks for the help!
FYI: This is the only thing I could find about the issue while Googling, and it suggests something indeed did change in 1.11: https://trello.com/c/RFUcI1eV/158-3-make-docker-systemd-cgroups-driver-work-in-1-11
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 26 (15 by maintainers)
we’re seeing this as well on 1.11,
--security-opts=seccomp:unconfined --cap-add=SYS_ADMIN
works under 1.10, but not on 1.11. i suspect this might indeed be AppArmor related, as it seems to work on Fedora 23, but not in the Docker-on-Mac beta, which I think uses an Ubuntu bhyve guest?@thaJeztah it’s been made abundantly clear what Docker’s perspective is on multi-process containers, but I’d like to share our use case, in the interest of providing at least a single data-point on the types of reasons users may be interested in running systemd in Docker containers. Hopefully it helps get past this “you’re doing it wrong” attitude i see so often in docker bug-reports 😄
We (Treehouse) offer a feature to our students called “Workspaces”, which is online code editor and terminal that our students use to work on projects associated with their courses. Each Workspace is spun up as an on-demand docker container running the backing services that the frontend code-editor talks to, with persistence handled by bind-mounting gluster volumes into the container. The services that make up an active Workspace include things like:
we use docker’s dynamic port mapping to expose these services (and other common dev-preview ports for e.g. flask, etc) on the host, and inject the routes into Redis for our load-balancer.
because these are docker containers, we’re able to run anywhere from 100-200 Workspaces on a given host, which is awesome. Having to do this in actual VMs would be cost-prohibitive, so Docker’s worked really well for us in that regard.
With experience, we’ve found that treating each active Workspace as a single container is optimal for several reasons:
docker ps
tells us definitively whether a workspace is ‘active’ or not, so shutdowns can just be retried for expired workspaces if they fail at first.there’s probably some other things i’m forgetting, but those are the big ones for us at present. ultimately, we hope Docker can see that there are some legitimate use cases for multi-process containers, though it’s clear that best-practice for most use cases is still the single-process container model.
thanks for reading, and thanks for a great product! we love Docker, and hope we can keep using it well into the future!
@justincormack
So, it exists. Still:
Testing your suggested approach (note the
rw
):That said, I think there is something funky with the host system. On one of my machines it actually works:
The issue is easy for me to reproduce. Just let me know what info you need about the two different host environments. Here are some basics:
Broken host environment:
Working host environment:
Kernel issue?
/beetree