Closed free2k closed 3 years ago
Hi @free2k - thanks for raising. A few questions:
crawler
image?runc
?Hi @free2k - you seem to be trying to run systemctl
inside an un-priv container - containers don't run with an init system, so I'd not expect this to normally work :-)
https://forums.docker.com/t/systemctl-status-is-not-working-in-my-docker-container/9075
Is the -v /sys/fs/cgroup:/sys/fs/cgroup:ro
on your command line maybe a docker hack to try and allow systemctl
to access the host system?
What are you actually trying to achieve here? It feels like maybe you are trying to do some sort of docker privileged container access to the host.
/cc @amshinde for any thoughts around that mount etc.
Hi @jodh-intel
FROM centos:7
ENV container docker MAINTAINER The CentOS Project cloud-ops@centos.org RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in ; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ echo "nameserver 114.114.114.114" > /etc/resolv.conf; \ yum update; \ cat /etc/resolv.conf; \ rm -f /lib/systemd/system/multi-user.target.wants/; \ rm -f /etc/systemd/system/.wants/; \ rm -f /lib/systemd/system/local-fs.target.wants/; \ rm -f /lib/systemd/system/sockets.target.wants/udev; \ rm -f /lib/systemd/system/sockets.target.wants/initctl; \ rm -f /lib/systemd/system/basic.target.wants/; \ rm -f /lib/systemd/system/anaconda.target.wants/*; \ yum install -y rp-pppoe vim net-tools less wget crontabs traceroute openssh-server openssh-clients javapackages-tools java-1.8.0-openjdk-devel.x86_64; \ sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config; \ systemctl enable sshd; \ rpm -qa | grep java | grep -v javapackages | xargs rpm -e --nodeps; \ yum clean all; \ rm -f /usr/lib/systemd/system/sysinit.target.wants/systemd-udev-trigger.service; \ rm -f /usr/lib/systemd/system/sysinit.target.wants/systemd-udevd.service; \ VOLUME ["/sys/fs/cgroup"] CMD ["/usr/sbin/init"]
docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /var/run:/var/run --name kata-test --cpus 2 --memory 2G -itd crawler:v2
hi @grahamwhaley Thank you for your answer, I want systemd to start as the first process.Does kata support the --privileged=true parameter? I am very confused about this.
Ah, right @free2k - I see, you want systemd inside the container. A question:
I think the answer might be 'no', but when you are using runc
, you need to allow the container access to the host cgroup volume so you can run systemd
?
For Kata, we might have to do something different here - as Kata is running its own kernel inside a VM, what you probably would want is the container to have access to the cgroup volume of the VM kernel, and not the actual host system itself. I don't think we have a way to allow that today with Kata though.
For 'does kata support --privileged' - in our Limitations document we say 'no', but, I think that is not the whole story. afaik, kata does not support some host resource sharing. @amshinde , were you in the process of clarifying that in the Limitations document?
I'm not sure if we can support running systemd in the container right now, but would like to hear from @amshinde and @devimc at least. I think this is an interesting question :-) /cc @sboeuf @gnawux
In fact, I can run systemd in kata through some methods. Although this method looks very bad. Because systemd can't start is related to dbus, so I share the host's /run directory directly to the kata virtual machine. This way I can start systemd in the kata virtual machine. I don't understand enough about dbus, but I think if the kata virtual machine has an independent dbus will solve this problem, instead of relying on the dbus of the host. @grahamwhaley
@free2k I tried reproducing your issue with the Dockerfile contents you provided, but was not able to build it due to some errors in there. So I used the Dockerfile under Dockerfile for systemd base image
at https://hub.docker.com/_/centos.
After building the image I was able not able to run systemctl even with a runc container!
@jodh-intel @grahamwhaley Can you try running the container with runc to confirm, I want to know if I am missing something.
I have also posted the image to dockerhub under my account: https://hub.docker.com/r/amshinde/centos-systemd.
Following that, I did follow the example posted on the centos docker page regarding systemd-enabled app container as:
FROM local/c7-systemd
RUN yum -y install httpd; yum clean all; systemctl enable httpd.service
EXPOSE 80
CMD ["/usr/sbin/init"]
Running that with sudo docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /tmp/$(mktemp -d):/run -p 80:80 local/c7-systemd-httpd
worked for me with runc and kata as well. I was able to access the web page on port 80 of localhost with kata.
For 'does kata support --privileged' - in our Limitations document we say 'no', but, I think that is not the whole story. afaik, kata does not support some host resource sharing. @amshinde , were you in the process of clarifying that in the Limitations document?
@grahamwhaley Done :) I have raised a PR for this. @free2k Take a look at this : https://github.com/kata-containers/documentation/pull/408
@grahamwhaley For '/sys/fs/cgroup', we pass the guest side mount in case of system volumes, as it does not make sense to pass the host side volume. I am going to document this as well :)
@amshinde Thank you for your answer。 I have uploaded the image to the docker hub. https://cloud.docker.com/repository/registry-1.docker.io/free2k/repository You can use the following command to reproduce this problem.
docker run --runtime kata-runtime -v /sys/fs/cgroup:/sys/fs/cgroup:ro --name kata-test --cpus 2 --memory 2G -itd free2k/repository:v1
But if you cancel the --runtime kata-runtime parameter, you can successfully run systemd
@free2k Its interesting I am getting the same error with both kata and runc.
I was able to resolve it with adding flags --tmpfs /run --tmpfs /run/lock
to the run command.
My environment is different through, I am seeing that you are running an old version of docker.
I would recommend you update your docker version if possible:
https://github.com/kata-containers/runtime/blob/master/versions.yaml#L208
For older versions of docker, you may need additional flag --security-opt seccomp=unconfined
to your docker run command.
@free2k can you your setup with footloose containers. That may help
docker run --runtime=kata -d --mount type=tmpfs,destination=/run --mount type=tmpfs,destination=/run/lock --mount type=tmpfs,destination=/tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro quay.io/footloose/fedora29:latest /sbin/init
@free2k , could you please check mount -l | grep cgroup | grep systemd
to see if the mount is rw, since systemd need write cgroup
Description of problem
Expected result
Can successfully run systemd
Actual result
Failed to get D-Bus connection: Operation not permitted
Meta details
Running
kata-collect-data.sh
version1.6.0-rc1 (commit 9f8d4e1)
at2019-03-21.15:00:00.853126502+0800
.Runtime is
/usr/bin/kata-runtime
.kata-env
Output of "
/usr/bin/kata-runtime kata-env
":Runtime config files
Runtime default config files
Runtime config file contents
Config file
/etc/kata-containers/configuration.toml
not found Output of "cat "/usr/share/defaults/kata-containers/configuration.toml"
":KSM throttler
version
Output of "
/usr/libexec/kata-ksm-throttler/kata-ksm-throttler --version
":Output of "
/usr/lib/systemd/system/kata-ksm-throttler.service --version
":systemd service
Image details
Initrd details
No initrd
Logfiles
Runtime logs
Recent runtime problems found in system journal:
Proxy logs
Recent proxy problems found in system journal:
Shim logs
Recent shim problems found in system journal:
Throttler logs
No recent throttler problems found in system journal.
Container manager details
Have
docker
Docker
Output of "
docker version
":Output of "
docker info
":Output of "
systemctl show docker
":No
kubectl
Packages
Have
dpkg
Output of "dpkg -l|egrep "(cc-oci-runtimecc-runtimerunv|kata-proxy|kata-runtime|kata-shim|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"
":Have
rpm
Output of "rpm -qa|egrep "(cc-oci-runtimecc-runtimerunv|kata-proxy|kata-runtime|kata-shim|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"
":