Home / server / Questions / 607769
Accepted
Michael Neale
Asked: 2014-06-26 01:26:59 +0800 CST

Running systemd inside a docker container (arch linux)

  • 772

I am trying to see if I can run systemd inside a docker container (which is running arch linux in the container).

I start docker with all capabilities, and bind mount in cgroups: 

docker run -it --rm --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro ..

however, if I try to run the systemd binary: 

Trying to run as user instance, but the system has not been booted with systemd.

Trying to find out how to init things correctly to systemd starts.

arch-linux

7 Answers

  1. Here my master pice :D running systemd inside a docker container with ubuntu :D I Got Ubuntu working with systemd inside docker

    GitHub Repo for my docker-systemd container

    $ docker run -it --cap-add SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro dockerimages/docker-systemd

    Output:

    systemd 218 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN)
Detected virtualization 'docker'.
Detected architecture 'x86-64'.

Welcome to Ubuntu Vivid Vervet (development branch)!

Set hostname to <502ec40509a5>.
[  OK  ] Created slice Root Slice.
[  OK  ] Created slice System Slice.
         Starting Emergency Shell...
[  OK  ] Started Emergency Shell.
Startup finished in 5ms.
Welcome to emergency mode! After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to
try again to boot into default mode.
root@502ec40509a5:~# exit

    Update 2021

    A lot of Patches got Submitted to diffrent Projects like the docker upstream repos by REDHAT. To be More clear my frind David Walsh @ REDHAT did also post a lot about that. https://developers.redhat.com/blog/author/rhatdan/.

    Running SystemD Without additional Privileges requires

    /run as a tmpfs. /sys/fs/cgroup read/only. /sys/fs/cgroup/systemd read/write. /etc/machine-id Needs to Contain a Uniqe MachineID SIGRTMIN+3 as stopsignal as sigterm will not work /var/log/journal If it does not exist it will write to memory

    docker run -d \ 
    --tmpfs /tmp \
    --tmpfs /run \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --stop-signal SIGRTMIN+3 \
    httpd /sbin/init

    Note: The Stopsignal flag can be droped when your dockerfile contains STOPSIGNAL SIGRTMIN+3

    See the full Post. https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/

    Note: Today with Podman this would be even more simple read about it here: https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/

    • 5

  2. To run systemd in a Docker container, the host system must also run systemd. This means you cannot use Ubuntu < 16.04 as the host.

    • 4

  3. Currently systemd does not run correctly within a docker container, due to a whole set of reasons, i.e. the lack of the correct privileges. You can read up on that in a variety of github issues on the docker project like running systemd inside docker arch container hangs or segfaults and related issues regarding init/process monitoring. (I would like to link more issues here, but I can't as I apparently don't have enough reputation).

    As you can see, this is a topic that is currently being worked on and a few patches have been merged already to improve behavior, so that we can expect this to work quite soon.

    Apparently some developers already managed to get it to run on fedora systems, as they have documented in their blog.

    • 3
  4. Best Answer

    I was able to work backwards from this: https://registry.hub.docker.com/u/codekoala/arch/

    Docker 1.1 makes this easier as groups (ro) is already provided in containers - I still currently need priv access so it can create PrivateTmp mounts, but otherwise, as long as you specify the cmd to run as the systemd binary - it works nicely.

    • 1

  5. You can run systemd inside a docker container. The host OS doesn't matter, although you will need to mount the host's /sys/fs/cgroup volume. I got it to work following this guide: http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

    • 1

  6. Found this question while trying to do this in the debian:8 official container. For anyone else trying to do this on the official debian:8 (debian:jessie) container, @Frank-from-DSPEED's answer works with a slight modification as described in an older git hub post:

    docker run -d \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --cap-add SYS_ADMIN \
    debian:jessie  /sbin/init
docker exec -it <your-new-container-name-or-ID> bash

    Then from in the container:

    systemctl show-environment

    This works perfectly for me and since this is only a development environment, the security issue does not matter to me.

    Note: The /sbin/init command gets /sbin/init to be Process 1, which is a key part of making this work.

    • 1

  7. As of 2018, this now works for me: docker run -it -e container=docker your-image-name /sbin/init

    This won't give you a shell, however, so you will need to first enable some systemd service (e.g. sshd) inside the image if that hasn't already been done, to do anything useful.

    • 1