search

opencontainers / runc

CLI tool for spawning and running containers according to the OCI specification
https://www.opencontainers.org/
Apache License 2.0
11.59k stars 2.06k forks source link

Running systemd with runc #2703

Open pts opened 3 years ago

pts commented 3 years ago

I'm trying to run an Ubuntu 18.04 container with systemd on an Ubuntu 18.04 host system with runc version 1.0.0-rc92. I'm getting errors, and systemd doesn't start up properly. I tried googling for the errors, but nothing useful came up. See also the attached config.json file (config.json.zip). The entire bundle can be downloaded from https://pts.50.hu/ubuntu--18.04.tar.xz

Error message for the 2nd run after the reboot:

systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
Detected architecture x86-64.
Failed to attach 1 to compat systemd cgroup /user.slice/user-1000.slice/user@1000.service/gnome-session.service/co92/init.scope: No such file or directory
Failed to open pin file: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!!!!] Failed to allocate manager object, freezing.
Freezing execution.

Please note that gnome-session is not installed in the container rootfs, it's only installed on the host.

FYI I also asked the question here: https://superuser.com/questions/1607755/systemd-fails-the-2nd-time-it-is-run-from-runc

I need runc because I want the container to use a network namespace which I've already set up.

FYI It works flawlessly with systemd-nspawn: sudo systemd-nspawn --boot --directory ubuntu--18.04/rootfs --machine co92. I'd like to make the same work with runc.

Is runc able to run systemd? What am I configuring incorrectly?

pts commented 3 years ago

FYI I was getting similar errors from systemd-nspawn. The solution was: export SYSTEMD_NSPAWN_USE_CGNS=0 and --bind=/sys/fs/cgroup.

pts commented 3 years ago

Is there any other information I should provide?

kolyshkin commented 3 years ago

The reason is systemd inside a container also wants to manage cgroups. I would love to take a look at what it takes to run systemd successfully but currently don't have time.

frasertweedale commented 3 years ago

I am currently investigating this. I have a modified version of runc (https://github.com/frasertweedale/runc/commits/feature/chown-cgroup) that chowns the container's cgroup to the container's uid 0, but I still need to test it in OpenShift.

Another option is to use the systemd transient unit API to specify an alternative owner for the cgroup, but systemd has some quirks that complicate this approach (see https://frasertweedale.github.io/blog-redhat/posts/2021-06-09-systemd-cgroups-subuid.html for more info).

Support for systemd-based workloads in OpenShift (which uses runc) is a critical requirement for my current project (FreeIPA on OpenShift). We can commit engineering resources to assist in solving this problem.

frasertweedale commented 3 years ago

I have this working with a modest change to runc to chown the container's cgroup. I'll do a writeup and a video demo in the coming days, and a pull request.

frasertweedale commented 3 years ago

Pull request: https://github.com/opencontainers/runc/pull/3057