Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

privileged:true required to run app in container where systemd is pid 1 on Ubuntu 16.04 host #4633

Closed
aikchar opened this issue Mar 18, 2017 · 5 comments
Labels

Comments

@aikchar
Copy link

@aikchar aikchar commented Mar 18, 2017

I'm trying to run a container (systemd is pid 1) on host Ubuntu 16.04.

$ docker-compose --version
docker-compose version 1.11.2, build dfed245
$ docker --version
Docker version 17.03.0-ce, build 3a232c8

tl;dr: On Ubuntu 16.04 host docker run starts a container and my app in it with privileged: false but docker-compose up needs privileged: true. The same container runs on Fedora 25 host with privileged: false.

First reported in moby/moby#28614.

Docker Image

The Docker image is built with the following Dockerfile snippet that runs systemd as pid 1 in the container.

FROM centos/centos7

# Fix incompatibility between Docker and systemd
# copy/paste from https://forums.docker.com/t/systemctl-status-is-not-working-in-my-docker-container/9075/4
# additional steps from https://github.com/CentOS/sig-cloud-instance-images/issues/41
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
    rm -f /lib/systemd/system/multi-user.target.wants/*; \
    rm -f /etc/systemd/system/*.wants/*; \
    rm -f /lib/systemd/system/local-fs.target.wants/*; \
    rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
    rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
    rm -f /lib/systemd/system/basic.target.wants/*; \
    rm -f /lib/systemd/system/anaconda.target.wants/*; \
    mkdir -p /etc/selinux/targeted/contexts/ &&\
    echo '<busconfig><selinux></selinux></busconfig>' > /etc/selinux/targeted/contexts/dbus_contexts

VOLUME [ "/sys/fs/cgroup" ]

CMD ["/usr/sbin/init"]

ENV TERM=xterm

# Continue the rest here

docker run

When I use docker run to create container it starts and the app process starts in the container.

$ docker run --name=myapp -d --rm --privileged=false --cap-add=SYS_ADMIN --tmpfs /run --tmpfs /run/lock --tmpfs /tmp -p 2424:2424 -p 2480:2480 -v /sys/fs/cgroup:/sys/fs/cgroup:ro mycontainerimage

$ docker exec -it b2769703c135 /bin/bash

[root@b2769703c135 /]# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 00:30 ?        00:00:00 /usr/sbin/init
root        17     1  0 00:30 ?        00:00:00 /usr/lib/systemd/systemd-journald
root        19     1 37 00:30 ?        00:00:01 /bin/java -server -Xms512m -Xmx512m -Djna.nosys=true -XX:+HeapDumpOnOutOfMemoryError -Djava.awt.headless=true -Dfile.encoding=UTF8 -Drhino.opt.level=9 -Dprofi
root       117     0  1 00:30 ?        00:00:00 /bin/bash
root       135   117  0 00:30 ?        00:00:00 ps -ef

[root@b2769703c135 /]# systemctl
  UNIT                           LOAD   ACTIVE SUB       DESCRIPTION
  -.mount                        loaded active mounted   /
  dev-mqueue.mount               loaded active mounted   POSIX Message Queue File System
<SNIP>

docker-compose up

When I use docker-compose up the container starts but the app process does not start in the container.

docker-compose.yml:

version: '2'
services:
myapp:
    cap_add:
    - SYS_ADMIN
    environment:
    - container=docker
    image: mycontainerimage
    ports:
    - "2424:2424"
    - "2480:2480"
    privileged: false
    tmpfs:
    - /run
    - /run/lock
    - /tmp
    volumes:
    - "/sys/fs/cgroup:/sys/fs/cgroup:ro"

Commands:

$ docker-compose up -d

$ docker exec -it 70c88ce6df22 /bin/bash

[root@70c88ce6df22 /]# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 00:18 ?        00:00:00 /usr/sbin/init
root        27     0  0 00:32 ?        00:00:00 /bin/bash
root        45    27  0 00:32 ?        00:00:00 ps -ef

[root@70c88ce6df22 /]# systemctl
Failed to get D-Bus connection: Operation not permitted

When I modify docker-compose.yml to change privileged: false to privileged: true the container starts and so does the app inside the container.

$ docker exec -it 9de86c00efd6 /bin/bash
[root@9de86c00efd6 /]# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 00:40 ?        00:00:00 /usr/sbin/init
root        17     1  0 00:40 ?        00:00:00 /usr/lib/systemd/systemd-journald
root        18     1  4 00:40 ?        00:00:01 /bin/java -server -Xms512m -Xmx512m -Djna.nosys=true -XX:+HeapDumpOnOutOfMemoryError -Djava.awt.headless=true -Dfile.encoding=UTF8 -Drhino.opt.level=9 -Dprofi
root       172     0  0 00:40 ?        00:00:00 /bin/bash
root       190   172  0 00:40 ?        00:00:00 ps -ef

Diffs between docker inspect

From container created by docker run.

"HostConfig": {
            "Binds": [
                "/sys/fs/cgroup:/sys/fs/cgroup:ro"
            ],

and

"Mounts": [
            {
                "Type": "bind",
                "Source": "/sys/fs/cgroup",
                "Destination": "/sys/fs/cgroup",
                "Mode": "ro",
                "RW": false,
                "Propagation": ""
            }
        ],

From container created by docker-compose up whether privileged:false or privileged:true.

"HostConfig": {
            "Binds": [
                "321e05df2c34e16442f2834db896b42c8d0188d5c7a06977b246bbb32270cd5d:/sys/fs/cgroup:rw"
            ],

and

"Mounts": [
            {
                "Type": "volume",
                "Name": "321e05df2c34e16442f2834db896b42c8d0188d5c7a06977b246bbb32270cd5d",
                "Source": "/var/lib/docker/volumes/321e05df2c34e16442f2834db896b42c8d0188d5c7a06977b246bbb32270cd5d/_data",
                "Destination": "/sys/fs/cgroup",
                "Driver": "local",
                "Mode": "rw",
                "RW": true,
                "Propagation": ""
            }
        ],
@dnephin
Copy link
Contributor

@dnephin dnephin commented Mar 20, 2017

https://docs.docker.com/compose/overview/#preserve-volume-data-when-containers-are-created

What's your docker-compose.yml ?

You can remove the old container with docker-compose rm, and start it again. There should be a warning about the bind volume being masked.

@aikchar
Copy link
Author

@aikchar aikchar commented Mar 27, 2017

docker-compose.yml:

version: '2'
services:
    myapp:
        cap_add:
        - SYS_ADMIN
        environment:
        - container=docker
        image: mycontainerimage
        ports:
        - "2424:2424"
        - "2480:2480"
        privileged: false
        tmpfs:
        - /run
        - /run/lock
        - /tmp
        volumes:
        - "/sys/fs/cgroup:/sys/fs/cgroup:ro"

Which old container do I remove? I'm creating two containers from the same image; one with docker up and the other with docker-compose up. I'm sorry I didn't get what you meant.

@guillaumeparis2000
Copy link

@guillaumeparis2000 guillaumeparis2000 commented Oct 19, 2017

Hi @aikchar have you find a solution for that problem?
Thanks

@stale
Copy link

@stale stale bot commented Oct 10, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 10, 2019
@stale
Copy link

@stale stale bot commented Oct 17, 2019

This issue has been automatically closed because it had not recent activity during the stale period.

@stale stale bot closed this Oct 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.