Puppet-Agent running in docker can't manage host systemd services

seancharlton commented 6 months ago

Describe the Bug

The puppet-agent ( https://hub.docker.com/r/puppet/puppet-agent ), running in a docker-container, can't manage the hosts systemd services like a native puppet-agent can.

I'm running the puppet-agent like the Overview Page on Docker Hub docker run --rm --privileged --hostname agent -v /tmp:/tmp -v /etc:/etc -v /var:/var -v /usr:/usr -v /lib64:/lib64 puppet/puppet-agent-ubuntu

Hope there is a way to get this working.

Expected Behavior

Puppet-Agent running in container behaves like the native running binary.

Steps to Reproduce

Steps to reproduce the behavior:

Start the puppet-agent with the command from the hub.docker.com page docker run --rm --privileged --hostname agent -v /tmp:/tmp -v /etc:/etc -v /var:/var -v /usr:/usr -v /lib64:/lib64 puppet/puppet-agent-ubuntu
Jump imto the container docker exec -ti <name_of_container> bash
Create a small test .pp ( vi ) service { 'chrony': ensure => 'stopped', enable => true, provider => 'systemd', }
Apply the .pp file puppet apply ./init.pp ... Notice: Compiled catalog for agent in environment production in 0.01 seconds Error: /Stage[main]/Main/Service[chrony]: Provider systemd is not functional on this host

Environment

Puppet-Agent Version 7.20 ( Docker-Image https://hub.docker.com/layers/puppet/puppet-agent/7.20.0/images/sha256-9223a40ef490ae331b41ff36edaaba3470caf02e984b4bf107c4184b99a32f0a?context=explore )
Host: Fedora CoreOS 39

Additional Context

Docker Container systemctl output: System has not been booted with systemd as init system (PID 1). Can't operate. Failed to connect to bus: Host is down
Puppet-Agent Error Output: Error: /Stage[main]/Main/Service[chrony]: Provider systemd is not functional on this host

joshcooper commented 5 months ago

@seancharlton can you provide more context about why you're running puppet agents in docker containers? Are you running puppet in a Dockerfile when building the image? Or are you managing the running docker container using puppet?

seancharlton commented 5 months ago

@joshcooper It's a internal policy with a new batch of systems. Those Systems use Fedora CoreOS as their host system and every application on it has to be run in a Container. Every container on the Fedora CoreOS System is managed via systemd service file. ( Example: https://docs.fedoraproject.org/en-US/fedora-coreos/running-containers/ )

The puppet-agent in the container is used to managed the Fedora CoreOS System itself and all the systemd services files.

Since there is a puppet-agent docker image and the documentation mentioned Fedora CoreOS, I believed that all puppet ressource type would work out of the box.

joshcooper commented 5 months ago

Generally speaking trying to manage the host OS from inside a docker container is going to be an uphill battle and not something we recommend or support so I'm going to close this. You might be able to get something working, but ultimately you're going to have to work around all of the security layers that docker has to prevent a container from taking over the host OS.

binford2k commented 5 months ago

the linked docs page describes how to start/stop containers with their service files, like systemctl start <container name>. It doesn't say that the containers themselves have systemd. You can use Puppet's service resource on the host to manage a containerized service.

puppetlabs / puppet-agent