15

I am trying to see if I can run systemd inside a docker container (which is running arch linux in the container).

I start docker with all capabilities, and bind mount in cgroups:

docker run -it --rm --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro ..

however, if I try to run the systemd binary:

Trying to run as user instance, but the system has not been booted with systemd.

Trying to find out how to init things correctly to systemd starts.

Michael Neale
  • 3,654
  • 5
  • 27
  • 26

7 Answers7

5

Here my master pice :D running systemd inside a docker container with ubuntu :D I Got Ubuntu working with systemd inside docker

GitHub Repo for my docker-systemd container

$ docker run -it --cap-add SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro dockerimages/docker-systemd

Output:

systemd 218 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN)
Detected virtualization 'docker'.
Detected architecture 'x86-64'.

Welcome to Ubuntu Vivid Vervet (development branch)!

Set hostname to <502ec40509a5>.
[  OK  ] Created slice Root Slice.
[  OK  ] Created slice System Slice.
         Starting Emergency Shell...
[  OK  ] Started Emergency Shell.
Startup finished in 5ms.
Welcome to emergency mode! After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to
try again to boot into default mode.
root@502ec40509a5:~# exit

Update 2021

A lot of Patches got Submitted to diffrent Projects like the docker upstream repos by REDHAT. To be More clear my frind David Walsh @ REDHAT did also post a lot about that. https://developers.redhat.com/blog/author/rhatdan/.

Running SystemD Without additional Privileges requires

/run as a tmpfs. /sys/fs/cgroup read/only. /sys/fs/cgroup/systemd read/write. /etc/machine-id Needs to Contain a Uniqe MachineID SIGRTMIN+3 as stopsignal as sigterm will not work /var/log/journal If it does not exist it will write to memory

docker run -d \ 
    --tmpfs /tmp \
    --tmpfs /run \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --stop-signal SIGRTMIN+3 \
    httpd /sbin/init

Note: The Stopsignal flag can be droped when your dockerfile contains STOPSIGNAL SIGRTMIN+3

See the full Post. https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/

Note: Today with Podman this would be even more simple read about it here: https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/

frank-dspeed
  • 161
  • 1
  • 3
  • 7
    Technically this works, but you had to break the container's security to do it. This is not appropriate for a production deployment. – Michael Hampton Dec 21 '14 at 03:37
  • Today thuis is possible more easy with less security flags – frank-dspeed Oct 02 '18 at 05:04
  • Cool masterpiece. Consider this other answer, because it is more secure and explains things (`SYS_ADMIN` is probably overkill): https://unix.stackexchange.com/a/499585/33386 – Jonathan Komar Dec 09 '20 at 09:47
  • You really should be citing the source you copied from in your answer (my comment above does not count): https://unix.stackexchange.com/a/499585/33386. – Jonathan Komar Apr 13 '21 at 12:29
  • @JonathanKomar Your probally right i will write it complet new with the current state of 2021 thanks for pointing that out do not forget to mention my name every where when you should use that. – frank-dspeed Apr 14 '21 at 07:27
4

To run systemd in a Docker container, the host system must also run systemd. This means you cannot use Ubuntu < 16.04 as the host.

Mark Stosberg
  • 3,771
  • 23
  • 27
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
3

Currently systemd does not run correctly within a docker container, due to a whole set of reasons, i.e. the lack of the correct privileges. You can read up on that in a variety of github issues on the docker project like running systemd inside docker arch container hangs or segfaults and related issues regarding init/process monitoring. (I would like to link more issues here, but I can't as I apparently don't have enough reputation).

As you can see, this is a topic that is currently being worked on and a few patches have been merged already to improve behavior, so that we can expect this to work quite soon.

Apparently some developers already managed to get it to run on fedora systems, as they have documented in their blog.

  • 1
    This answer is outdated. systemd can run Docker containers now: https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/ – Mark Stosberg Jun 16 '20 at 14:36
  • @MarkStosberg You're both right. That article is about running systemd inside *podman* containers, not the original Docker, but it should be easy enough to switch. Thanks for the link! – Nemo Feb 19 '21 at 11:15
1

I was able to work backwards from this: https://registry.hub.docker.com/u/codekoala/arch/

Docker 1.1 makes this easier as groups (ro) is already provided in containers - I still currently need priv access so it can create PrivateTmp mounts, but otherwise, as long as you specify the cmd to run as the systemd binary - it works nicely.

Michael Neale
  • 3,654
  • 5
  • 27
  • 26
1

You can run systemd inside a docker container. The host OS doesn't matter, although you will need to mount the host's /sys/fs/cgroup volume. I got it to work following this guide: http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

Tony H
  • 27
  • 1
  • 5
    Welcome to ServerFault. Instead of linking to an solution, please include the essentials points of it here in your answer. That way your answer will still be useful if the link target goes away. – Andrew Schulman Mar 13 '15 at 07:07
  • The article you link to contains very useful information. In order for your answer to be complete, please summarise its main actionable pieces of advice (besides mounting the host’s `/sys/fs/cgroup`, which you have mentioned). – Amir Feb 21 '19 at 10:31
  • And here is a follow-up article with further useful information: https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/ – Amir Feb 21 '19 at 10:42
  • Of course the link is broken now, so this answer is no longer useful. This is why you need to put the essential bits directly into your answers. – Michael Hampton Jun 16 '20 at 14:59
1

Found this question while trying to do this in the debian:8 official container. For anyone else trying to do this on the official debian:8 (debian:jessie) container, @Frank-from-DSPEED's answer works with a slight modification as described in an older git hub post:

docker run -d \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --cap-add SYS_ADMIN \
    debian:jessie  /sbin/init
docker exec -it <your-new-container-name-or-ID> bash

Then from in the container:

systemctl show-environment

This works perfectly for me and since this is only a development environment, the security issue does not matter to me.

Note: The /sbin/init command gets /sbin/init to be Process 1, which is a key part of making this work.

twildfarmer
  • 811
  • 6
  • 3
  • 1
    `systemctl show-environment` reutrns for me `Failed to get D-Bus connection: Unknown error -1`. When I start the container with an `--privileged` flag instead of `--cap-add SYS_ADMIN` (`docker run -d --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro --name=ubuntu_systemd_test debian:jessie /sbin/init`) systemctl responds like usual – czerasz Mar 06 '17 at 10:27
  • @twildfarmer thank you. Also for anyone else who tries this. Another Dockerfile that this has been implemented in is: https://syslog.me/2016/03/31/an-init-system-in-a-docker-container/ – Vivek Kodira Sep 28 '17 at 11:16
1

As of 2018, this now works for me: docker run -it -e container=docker your-image-name /sbin/init

This won't give you a shell, however, so you will need to first enable some systemd service (e.g. sshd) inside the image if that hasn't already been done, to do anything useful.

Robin Green
  • 451
  • 3
  • 11
  • 1
    Can you give details on what image you're using for this? I've tried Ubuntu, Debian, Arch, Alpine and OpenSUSE and none of them work. Either the binary doesn't exist or init fails to open resources. – Codebling Jan 17 '20 at 03:50
  • Try a systemd-enabled Docker image: https://github.com/defn/docker-systemd – Mark Stosberg Jun 16 '20 at 14:38