moby: Ubuntu 16.04 host: cannot run systemd inside unprivileged container
I decided to create a new issue instead of commenting on an existing one because:
- Other issues are closed
- This issue is specific to Ubuntu 16.04 hosts (apologies if that was the wrong call)
Here’s a reduced test case that shows I cannot start systemd inside a container on Ubuntu 16.04 hosts:
================================================================================
Bad run: not privileged (Ubuntu 16.04 host)(Ubuntu 16.04 container)
================================================================================
docker rm -f tmp; docker run --cap-add SYS_ADMIN --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init ubuntu:16.04 && sleep 1 &&\
docker exec tmp systemctl | wc -l
Error response from daemon: No such container: tmp
03f9d8cabd006c2e60d2a3d23562b0d7b04f8b701b5446f6d31a5b2a169064e9
Failed to connect to bus: No such file or directory
0
================================================================================
Bad run: not privileged (Ubuntu 16.04 host)(CentOS container)
================================================================================
root@wasosa-docker:~# docker rm -f tmp ; docker run --cap-add SYS_ADMIN --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init cen\
tos && sleep 1 && docker exec tmp systemctl | wc -l
Error response from daemon: No such container: tmp
585a070e022447291124d6cd2158cc0676699038b6b4af49e4190c008bf8f431
Failed to get D-Bus connection: Operation not permitted
0
As you can see systemctl is not putting anything on stdout (line count is 0), but it is putting one error message on stderr:
Failed to get D-Bus connection: Operation not permitted
If instead I run with --privileged then I get:
================================================================================
Good run: privileged (Ubuntu 16.04 host)(Ubuntu 16.04 container)
================================================================================
rm -f tmp ; docker run --privileged --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init ubuntu:16.04 && sleep 1 && docker exec \
tmp systemctl | wc -l
tmp
91621fcb200ac06fef503871add7bc79ab8b67d33ebec3507f187edaa26f7040
67
================================================================================
Good run: privileged (Ubuntu 16.04 host)(CentOS container)
================================================================================
root@wasosa-docker:~# docker rm -f tmp ; docker run --privileged --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init centos && \
sleep 1 && docker exec tmp systemctl | wc -l
tmp
3fca11156b252a5fe53271882b290b27278b978e8dd4e62fe2563a281e6e336b
62
In this case systemctl does give lots of output (hidden here because it is not relevant, but line counts are around 60).
If instead I run on a CentOS host, all cases above succeed:
================================================================================
Good run: not privileged (CentOS 7 host)(Ubuntu 16.04 container)
================================================================================
[root@wasosa-centos ~]# docker rm -f tmp; docker run --cap-add SYS_ADMIN --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init ub\
untu:16.04 && sleep 1 && docker exec tmp systemctl | wc -l
fdca61d37b996d3b9dab92ba00a31e06b31e38bdf4c32d2db37a6788a015852f
58
================================================================================
Good run: not privileged (CentOS 7 host)(CentOS container)
================================================================================
[root@wasosa-centos ~]# docker rm -f tmp; docker run --cap-add SYS_ADMIN --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init ce\
ntos && sleep 1 && docker exec tmp systemctl | wc -l
tmp
efe33d103256fc3680c5098084649f72b6561dbe05092e1b399cdd3643105461
58
================================================================================
Good run: privileged (CentOS 7 host)(CentOS container)
================================================================================
[root@wasosa-centos ~]# docker rm -f tmp; docker run --privileged --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init centos &&\
sleep 1 && docker exec tmp systemctl | wc -l
tmp
ee9437e595bb221674aefb805c420443367b83847013e3501533729ac88c9f67
62
================================================================================
Good run: privileged (CentOS 7 host)(Ubuntu 16.04 container)
================================================================================
[root@wasosa-centos ~]# docker rm -f tmp; docker run --privileged --volume /sys/fs/cgroup:/sys/fs/cgroup --name=tmp --detach --entrypoint=/sbin/init ubuntu:16\
.04 && sleep 1 && docker exec tmp systemctl | wc -l
tmp
c2c484d222c4b96f0353cc1cec4a50568e22b99da5bacd2a11547bba66038f4e
66
Here are the details for the two hosts:
================================================================================
Host machine details: Ubuntu 16.04
================================================================================
DigitalOcean One-click apps: Docker 1.12.3 on 16.04
root@wasosa-docker:~# uname -a
Linux wasosa-docker 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:39:52 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@wasosa-docker:~# cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
root@wasosa-docker:~# docker version
Client:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
root@wasosa-docker:~# docker info
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 4
Server Version: 1.12.3
Storage Driver: devicemapper
Pool Name: docker-253:1-1183379-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 660.9 MB
Data Space Total: 107.4 GB
Data Space Available: 40.18 GB
Metadata Space Used: 1.229 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.146 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.110 (2015-10-30)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-47-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.953 GiB
Name: wasosa-docker
ID: 33GB:G7KS:ZXJ7:UY4T:3467:SDL2:AHQN:CPRO:STIA:MOF5:ANUC:MPKW
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
================================================================================
Host machine details: CentOS 7.2
================================================================================
DigitalOcean: CentOS 7.2 x64
[root@wasosa-centos ~]# uname -a
Linux wasosa-centos 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@wasosa-centos ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@wasosa-centos ~]# docker version
Client:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built:
OS/Arch: linux/amd64
Server:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built:
OS/Arch: linux/amd64
[root@wasosa-centos ~]# docker info
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 2
Server Version: 1.12.3
Storage Driver: devicemapper
Pool Name: docker-253:1-391976-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 415.6 MB
Data Space Total: 107.4 GB
Data Space Available: 40.38 GB
Metadata Space Used: 966.7 kB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.147 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-327.36.3.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.797 GiB
Name: wasosa-centos
ID: 4NWZ:KTNY:OMAZ:D333:VS64:Z4DE:TYMH:4TCM:5545:KJE7:IBOI:IJHU
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
127.0.0.0/8
================================================================================
Same behavior on my Ubuntu 16.04 workstation:
================================================================================
[wasosa][wasosa-desktop][~/workspace/privileged][148]: uname -a
Linux wasosa-desktop 4.4.0-42-generic #62-Ubuntu SMP Fri Oct 7 23:11:45 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[wasosa][wasosa-desktop][~/workspace/privileged][0]: cat /etc/issue
Ubuntu 16.04 LTS \n \l
[wasosa][wasosa-desktop][~/workspace/privileged][148]: docker info
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 158
Server Version: 1.12.3
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 138
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-42-generic
Operating System: Ubuntu 16.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 23.54 GiB
Name: wasosa-desktop
ID: OYA2:CECT:5QXK:KAZE:BRRG:FQUI:XPXJ:FQPG:5433:4P5X:2N6J:HLTB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
carrot.mezztest.oblong.com:5000
127.0.0.0/8
[wasosa][wasosa-desktop][~/workspace/privileged][0]: docker version
Client:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 22:01:48 2016
OS/Arch: linux/amd64
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 2
- Comments: 20 (8 by maintainers)
Commits related to this issue
- Update systemd config See <https://github.com/moby/moby/issues/28614#issuecomment-310581026> — committed to ypcs/docker by ypcs 6 years ago
- Add some tweaks and a test to make systemd work Read https://github.com/moby/moby/issues/28614 as a reference. — committed to Tecnativa/ansible-test-playground by yajo 6 years ago
- Add some tweaks and a test to make systemd work (#4) In general, read https://github.com/moby/moby/issues/28614 as a reference, and see https://github.com/CentOS/CentOS-Dockerfiles/tree/master/system... — committed to Tecnativa/ansible-test-playground by yajo 6 years ago
I tried building my own container and running various incantations without any luck. However, I did end up finding this project:
https://github.com/solita/docker-systemd
and I was able to get a systemd container running on Ubuntu 14.04 by following the instructions on that project.
I was able to start a centos container with this;
I had to specify the
--tmpfsotherwise container start failed;Ubuntu 16.04 indeed fails to start; it also required
/runto be specified as tmpfs, but then failed at trying to mount a tmpfs at/run/lock.Setting both
/runand/run/lockas tmpfs seems to do more;(note: without
-e "container=docker"I gotFailed to set up the root directory for shared mount propagation: Permission denied)@justincormack any idea on the mount issue?
Could you open an issue in the https://github.com/docker/compose/issues issue tracker?