New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
seccomp may cause "Failed to mount API filesystems, freezing." #25290
Comments
This is not a bug, but by design: processes inside the container should not automatically get these privileges, as they make the container less secure; if a process (such as systemd) requires these privileges, you need to pass them at runtime. I'm closing this issue, but feel free to continue the discussion |
@thaJeztah Thanks for sharing. Reading that other issue makes it easier for me to understand the reasons here. What would have been helpful, are doc pages explaining how to use I didn't find any documentation using the search engine on the docker site. |
You only need to add SYS_ADMIN as of 1.12 this will take care of the On 1 Aug 2016 3:10 p.m., "Sebastiaan van Stijn" notifications@github.com
|
Thanks for adding that, @justincormack
We currently don't have documentation about running
In most cases, running a process manager really isn't needed; remember; a container is to run a process, not a virtual machine. As can be seen from this discussion; allowing systemd to run, requires lowering the security of the container as a whole, so it's worth considering if you need systemd for your use case. Opinions on this vary, so let's just say "it depends" 😄 |
@thaJeztah Yeah, you're absolute right. That's why I suggested just to add a section about reasons
Is the following something you would accept? If you yes I'm going to create a PR for that and give it a bit more time to mature. Control and configure services in a Docker ContainerThere are some use cases where using a supervising PID 1 inside a container makes sense. In particular if you need a zombie reaper. In general we suggest to avoid using a process supervisor as it makes your setup more complex, but there might be uses cases where it makes sense to use "systemd" as PID 1. Reasons NOT to use "systemd" as PID 1
Reasons to use "systemd" as PID 1
How to use "systemd" as PID 1Create the image
Now build the image. docker build -t my-centos . Run the imageAs of "Docker" > 1.12 pass the
|
@justincormack I cannot confirm this for 1.12.0: Fails:
Succeeds:
|
@justincormack, I see same behavior as @dg-ratiodata. Somewhere I've seen that Btw I wish I understood why this succeeds:
but running
|
Note I'm using Docker for Mac which is still docker 1.12.0. The need for |
I am also facing this problem. |
@cleverlzc I'd discourage using |
Okay,thanks very much for your attention and advice. @thaJeztah |
Output of
docker version
:RHEL Host
Arch Linux Host
Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
systemd
208 for starting processesSteps to reproduce the issue:
docker pull feduxorg/centos
docker run -t --rm --name server-1 -v /sys/fs/cgroup:/sys/fs/cgroup feduxorg/centos
Describe the results you received:
systemd stops starting the system. Instead the following error message is shown.
Describe the results you expected:
I expect to see the normal systemd startup sequence.
Additional information you deem important (e.g. issue happens only occasionally):
The problem seems to be somehow related to seccomp. Maybe the issue reported in https://bugzilla.redhat.com/show_bug.cgi?id=1322508 is not fixed (yet) (upstream)?
If I run
docker
with no options, it fails:If set seccomp options explicitly or run it as privileged process it works.
The text was updated successfully, but these errors were encountered: