failed to get D-Bus connection: Operation not permitted

Question

I'm trying to list services on my CentOS image running in Docker using

systemctl list-units  

but I get this error message:

Failed to get D-Bus connection: Operation not permitted

Any suggestions what the problem might be?

Answer 1

My guess is that you're running a non-privileged container. systemd requires CAP_SYS_ADMIN capability but Docker drops that capability in the non privileged containers, in order to add more security.

systemd also requires RO access to the cgroup file system within a container. You can add it with –v /sys/fs/cgroup:/sys/fs/cgroup:ro

So, here a few steps on how to run CentOS with systemd inside a Docker container:

1. Pull centos image
2. Set up a docker file like the one below:

FROM centos
MAINTAINER "Yourname" <youremail@address.com>
ENV container docker
RUN yum -y update; yum clean all
RUN yum -y install systemd; yum clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]

3. Build it - docker build -t centos7-systemd - < mydockerfile

4. Run a container with docker run --rm --privileged -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup centos7-systemd /usr/sbin/init

5. You should have systemd in your container

Answer 2

This isn't a direct answer to your question, but it may actually be more important, and I came across this realization as I was reading the other answers here.

I've had some experience migrating some complicated systems to Docker, and one of the significant realizations I've had is that you should ideally have one Docker container per application/service or "per daemon".

One very significant reason for this is that Docker will not cleanly shutdown services that you start with systemctl and in fact you may end up with the same sort of database corruptions that come from an unexpected power outage.

To dive into this a little deeper: when Docker issues a "stop" command to a container, it sends the SIGTERM signal only the one single process that was started with the CMD/ENTRYPOINT, not to all the services and daemons. So that one service has the warning to shutdown cleanly and all the others get unceremoniously terminated.

If you absolutely have to package two services in the same container (i.e. your application and a PostgreSQL database or something like that) then you need to have your CMD/ENTRYPOINT be a script that catches SIGTERM and then rebroadcasts it to those known services. It can be done, but if you have the opportunity, rethink your solution and try to break it into multiple containers.

An addendum

There's an interesting note/page on the Docker site about using supervisord if you absolutely need to have multiple services running in the same container.

Answer 3

I've managed to fix this issue in a CentOS:7 Docker container. I've followed mainly the Guide on CentOS Docker image project.

FROM centos:7

ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;

# Install anything. The service you want to start must be a SystemD service.

CMD ["/usr/sbin/init"]

Now, build the image, and run it using at least the following arguments to docker run command: -v /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro

Then main point is that /usr/sbin/init must be the first process inside the Docker container.

So if you want to use a custom script that executes some commands before running /usr/sbin/init, launch it at the end of your script using exec /usr/sbin/init (in a bash script).

Here is an example:

ADD cmd.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/cmd.sh

CMD ["/usr/local/bin/cmd.sh"]

And here is the content of cmd.sh:

#!/bin/bash

# Do some stuffs

exec /usr/sbin/init # To correctly start D-Bus thanks to https://forums.docker.com/t/any-simple-and-safe-way-to-start-services-on-centos7-systemd/5695/8

You could have System is booting up. See pam_nologin(8) if your using the PAM system, in that case, delete /usr/lib/tmpfiles.d/systemd-nologin.conf in your Dockerfile because it creates the file /var/run/nologin which generates this specific error.

Answer 4

I didn't want to have to launch systemd as init/PID 1. After doing the cleanup steps mentioned by others, I launch systemd from within a startup script as /usr/lib/systemd/systemd --system &.

This allowed systemd to start and launch the registered services, but systemctl was failing with the D-Bus error.

For me, the missing link was the absence of the /run/systemd/system directory, discovered this by straceing systemctl.

Creating this directory manually before running systemctl allows systemctl to work for me.