Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1392526

Summary: Systemd in Docker container need too much priviledge
Product: Red Hat Enterprise Linux 7 Reporter: Antoine TRAN <antoine.tran>
Component: systemdAssignee: systemd-maint
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: antoine.tran, bblaskov, jsynacek, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1563025 (view as bug list) Environment:
Last Closed: 2017-08-03 07:49:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1563025    

Description Antoine TRAN 2016-11-07 16:51:54 UTC 
Description of problem:
The systemd component in a Docker container, such as centos:7, needs too much priviledge (either docker run --priviledge ... or docker run --cap-add SYS_ADMIN ...).

Version-Release number of selected component (if applicable):
19.el7_2.13

How reproducible:
Follow https://hub.docker.com/_/centos/ chapter "Systemd integration", as an attempt to run httpd with system. Here are the steps below.

Steps to Reproduce:
1. Creates the file Dockerfile with content:
FROM centos:7
MAINTAINER "you" <your>
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]
RUN yum -y install httpd; yum clean all; systemctl enable httpd.service
EXPOSE 80
2.docker build --rm -t local/c7-systemd-httpd .
3.docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd

Actual results:
[!!!!!!] Failed to mount API filesystems, freezing.
And then nothing happen, it freezes.

Expected results:
[  OK  ] Reached target Paths.
[  OK  ] Reached target Local File Systems.
[  OK  ] Created slice Root Slice.
[  OK  ] Created slice System Slice.
[  OK  ] Listening on Journal Socket.
         Starting Create Volatile Files and Directories...
...
[  OK  ] Reached target Multi-User System.


Additional info:
With these commands:
docker run -ti --cap-add SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
docker run -ti --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
We have the expected result.
Using docker-engine 1.12.2 and CentOs 7.2.1511.

When using systemd just to start one service in a container, we should not enable too much priviledge just for systemd.
Comment 1 Antoine TRAN 2016-11-07 16:53:42 UTC 
A bug report has been written previously in https://github.com/CentOS/sig-cloud-instance-images/issues/54 . Then someone sent me here.
Comment 2 Lukáš Nykrýn 2016-11-08 08:14:28 UTC 
I would guess that systemd is trying to mount /run, because it wants to have it on tmpfs. Try to use  "-v /run"
Comment 3 Antoine TRAN 2016-11-08 09:02:35 UTC 
docker run -ti -v /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
gives
[!!!!!!] Failed to mount API filesystems, freezing.
Deleting the container gives
Error response from daemon: devmapper: Unknown device 3ba40886392a40ad357a0f930f47814d95db573e2eaa809ac2d3335038c10d65

This latter message does not appear without -v /run.

With -v /run:/run, or --tmpfs /run --tmpfs /var --tmpfs /var/run, I have the same error.
Comment 5 Jan Synacek 2016-11-09 11:11:08 UTC 
Why is this a bug in systemd?
Comment 6 Antoine TRAN 2016-11-09 13:15:02 UTC 
Although systemd works in normal Linux distribution, it does not work in restricted environment (like docker).
Comment 8 Jan Synacek 2017-08-03 07:49:42 UTC 
This is no longer reproducible with docker-1.12.6-48.git0fdc778.el7.x86_64 and systemd-219-42.el7.x86_64.

Fixed in RHEL-7.4.