Closed cpuguy83 closed 4 years ago
SYS_ADMIN
can escalate to --privileged
easily.
When doing so, systemd likes to change some things on the host.
Could you be more specific? What is the actual issue?
The issue is that just running systemd, presumably with writable proc, systemd will assume it is the pid1 of the host and do some things... I've observed:
I don't know what else it might be happening.
reproducer?
The movie doesn't seem using scripts in this repo
I'm making a point about using systemd with --privileged
I confirmed the issue happens with your Dockerfile:
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y systemd
STOPSIGNAL RTMIN+3
ENTRYPOINT ["/sbin/init"]
However, I'm not hitting the issue with the scripts in this repo @ 6ced78a9df65c13399ef1ce41c0bedc194d7cff6 . (Dockerfile.ubuntu-20.04
).
My host is Ubuntu 20.04.
RUN systemctl mask getty@tty1.service
seems the solution for your Dockerfile.
Probably related to /dev/console
rather than /proc
stuff.
Yet another solution is --security-opt privileged-without-host-devices
: https://github.com/moby/moby/pull/39702 https://github.com/docker/cli/pull/2037
Ah yes, forgot we mount host dev in....
Noticed your hack script uses systemd with
--privileged
. When doing so, systemd likes to change some things on the host.Running systemd+dind I have had luck with:
There doesn't seem like there's any disruptive changes on the host with this configuration.