systemd with --privileged

[cpuguy83]

Noticed your hack script uses systemd with --privileged. When doing so, systemd likes to change some things on the host.

Running systemd+dind I have had luck with:

        --security-opt seccomp:unconfined \
        --security-opt apparmor:unconfined \
        --security-opt label:disabled \
        --cap-add SYS_ADMIN \
        --cap-add NET_ADMIN \
        -e container=docker \
        --tmpfs /tmp \
        --tmpfs /run \
        --tmpfs /run/lock \
        -v /sys/fs/cgroup:/sys/fs/cgroup:ro

There doesn't seem like there's any disruptive changes on the host with this configuration.

[AkihiroSuda]

SYS_ADMIN can escalate to --privileged easily.

[AkihiroSuda]

When doing so, systemd likes to change some things on the host.

Could you be more specific? What is the actual issue?

[cpuguy83]

The issue is that just running systemd, presumably with writable proc, systemd will assume it is the pid1 of the host and do some things... I've observed:

1. Changes hostname (of the host)
2. My GUI login screen is changed to a terminal

I don't know what else it might be happening.

[AkihiroSuda]

reproducer?

[cpuguy83]

https://youtu.be/uHWysJMf9fM

[AkihiroSuda]

The movie doesn't seem using scripts in this repo

[cpuguy83]

I'm making a point about using systemd with --privileged

[AkihiroSuda]

I confirmed the issue happens with your Dockerfile:

FROM ubuntu:18.04
RUN apt-get update && apt-get install -y systemd
STOPSIGNAL RTMIN+3
ENTRYPOINT ["/sbin/init"]

However, I'm not hitting the issue with the scripts in this repo @ 6ced78a9df65c13399ef1ce41c0bedc194d7cff6 . (Dockerfile.ubuntu-20.04). My host is Ubuntu 20.04.

[AkihiroSuda]

RUN systemctl mask getty@tty1.service seems the solution for your Dockerfile.

Probably related to /dev/console rather than /proc stuff.

[AkihiroSuda]

Yet another solution is --security-opt privileged-without-host-devices: https://github.com/moby/moby/pull/39702 https://github.com/docker/cli/pull/2037

[cpuguy83]

Ah yes, forgot we mount host dev in....