Bug 1392526

Summary: Systemd in Docker container need too much priviledge
Product: Red Hat Enterprise Linux 7 Reporter: Antoine TRAN <antoine.tran>
Component: systemdAssignee: systemd-maint
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: antoine.tran, bblaskov, jsynacek, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1563025 (view as bug list) Environment:
Last Closed: 2017-08-03 07:49:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1563025    

Description Antoine TRAN 2016-11-07 16:51:54 UTC 
Description of problem:
The systemd component in a Docker container, such as centos:7, needs too much priviledge (either docker run --priviledge ... or docker run --cap-add SYS_ADMIN ...).

Version-Release number of selected component (if applicable):
19.el7_2.13

How reproducible:
Follow https://hub.docker.com/_/centos/ chapter "Systemd integration", as an attempt to run httpd with system. Here are the steps below.

Steps to Reproduce:
1. Creates the file Dockerfile with content:
FROM centos:7
MAINTAINER "you" <your>
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]
RUN yum -y install httpd; yum clean all; systemctl enable httpd.service
EXPOSE 80
2.docker build --rm -t local/c7-systemd-httpd .
3.docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd

Actual results:
[!!!!!!] Failed to mount API filesystems, freezing.
And then nothing happen, it freezes.

Expected results:
[  OK  ] Reached target Paths.
[  OK  ] Reached target Local File Systems.
[  OK  ] Created slice Root Slice.
[  OK  ] Created slice System Slice.
[  OK  ] Listening on Journal Socket.
         Starting Create Volatile Files and Directories...
...
[  OK  ] Reached target Multi-User System.


Additional info:
With these commands:
docker run -ti --cap-add SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
docker run -ti --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
We have the expected result.
Using docker-engine 1.12.2 and CentOs 7.2.1511.

When using systemd just to start one service in a container, we should not enable too much priviledge just for systemd.
Comment 1 Antoine TRAN 2016-11-07 16:53:42 UTC 
A bug report has been written previously in https://github.com/CentOS/sig-cloud-instance-images/issues/54 . Then someone sent me here.
Comment 2 Lukáš Nykrýn 2016-11-08 08:14:28 UTC 
I would guess that systemd is trying to mount /run, because it wants to have it on tmpfs. Try to use  "-v /run"
Comment 3 Antoine TRAN 2016-11-08 09:02:35 UTC 
docker run -ti -v /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
gives
[!!!!!!] Failed to mount API filesystems, freezing.
Deleting the container gives
Error response from daemon: devmapper: Unknown device 3ba40886392a40ad357a0f930f47814d95db573e2eaa809ac2d3335038c10d65

This latter message does not appear without -v /run.

With -v /run:/run, or --tmpfs /run --tmpfs /var --tmpfs /var/run, I have the same error.
Comment 5 Jan Synacek 2016-11-09 11:11:08 UTC 
Why is this a bug in systemd?
Comment 6 Antoine TRAN 2016-11-09 13:15:02 UTC 
Although systemd works in normal Linux distribution, it does not work in restricted environment (like docker).
Comment 8 Jan Synacek 2017-08-03 07:49:42 UTC 
This is no longer reproducible with docker-1.12.6-48.git0fdc778.el7.x86_64 and systemd-219-42.el7.x86_64.

Fixed in RHEL-7.4.