search

AkihiroSuda / containerized-systemd

Dockerfile examples for containerized systemd (mainly for test environments)
https://github.com/moby/moby/pull/40493
Apache License 2.0
122 stars 20 forks source link

cgroups v2 - possible? #11

Open danryu opened 2 years ago

danryu commented 2 years ago

I have latest Docker on Ubuntu 21.10, with cgroups v2 enabled and host OS configured as per instructions at https://rootlesscontaine.rs/getting-started/common/cgroup2/.

$ cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-5.14.14-xanmod2 root=UUID=3d234b83-5e3a-4eff-a384-8e17575d4031 ro systemd.unified_cgroup_hierarchy=1 quiet splash pci=noaer vt.handoff=7

However this doesn't work with the default build (also tried Ubuntu image). Do you know why there are these permission problems?

$ docker build -t systemddeb10 -f Dockerfile.debian-10 .
...
$ docker run  -it systemddeb10:latest bash
Created symlink /etc/systemd/system/systemd-firstboot.service → /dev/null.
Created symlink /etc/systemd/system/systemd-udevd.service → /dev/null.
Created symlink /etc/systemd/system/systemd-modules-load.service → /dev/null.
Created symlink /etc/systemd/system/multi-user.target.wants/docker-entrypoint.service → /etc/systemd/system/docker-entrypoint.service.
/docker-entrypoint.sh: starting /lib/systemd/systemd --show-status=false --unit=docker-entrypoint.target
Failed to mount tmpfs at /run: Operation not permitted
Failed to mount tmpfs at /run/lock: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...
danryu commented 2 years ago

Another attempt:

$ docker build -t akirodeb10 -f Dockerfile.debian-10 .
Sending build context to Docker daemon  109.1kB
Step 1/4 : FROM debian:10
 ---> 2b6f409b1d24
Step 2/4 : RUN apt-get update &&   apt-get install -y --no-install-recommends   systemd systemd-sysv dbus dbus-user-session
 ---> Using cache
 ---> aeedf31b9ad7
Step 3/4 : COPY docker-entrypoint.sh /
 ---> Using cache
 ---> 1112f4ef88fb
Step 4/4 : ENTRYPOINT ["/docker-entrypoint.sh"]
 ---> Using cache
 ---> f409b08a1374
Successfully built f409b08a1374
Successfully tagged akirodeb10:latest

$ docker run -it  --rm --privileged --workdir /usr -e FOO=hello akirodeb10 bash
Created symlink /etc/systemd/system/systemd-firstboot.service → /dev/null.
Created symlink /etc/systemd/system/systemd-udevd.service → /dev/null.
Created symlink /etc/systemd/system/systemd-modules-load.service → /dev/null.
Created symlink /etc/systemd/system/multi-user.target.wants/docker-entrypoint.service → /etc/systemd/system/docker-entrypoint.service.
/docker-entrypoint.sh: starting /lib/systemd/systemd --show-status=false --unit=docker-entrypoint.target
systemd 241 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
Detected virtualization docker.
Detected architecture x86-64.
Set hostname to <7d40577cb3b7>.
File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
systemd-journald-audit.socket: Failed to create listening socket (audit 1): Operation not permitted
systemd-journald-audit.socket: Failed to listen on sockets: Operation not permitted
systemd-journald-audit.socket: Failed with result 'resources'.
sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
sys-kernel-config.mount: Failed with result 'exit-code'.
sys-kernel-config.mount: Consumed 2ms CPU time.
sys-kernel-debug.mount: Mount process exited, code=exited, status=32/n/a
sys-kernel-debug.mount: Failed with result 'exit-code'.
sys-kernel-debug.mount: Consumed 2ms CPU time.
+ source /etc/docker-entrypoint-cmd
++ bash