Hide Forgot
Description of problem: The systemd component in a Docker container, such as centos:7, needs too much priviledge (either docker run --priviledge ... or docker run --cap-add SYS_ADMIN ...). Version-Release number of selected component (if applicable): 19.el7_2.13 How reproducible: Follow https://hub.docker.com/_/centos/ chapter "Systemd integration", as an attempt to run httpd with system. Here are the steps below. Steps to Reproduce: 1. Creates the file Dockerfile with content: FROM centos:7 MAINTAINER "you" <your> ENV container docker RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ rm -f /lib/systemd/system/multi-user.target.wants/*;\ rm -f /etc/systemd/system/*.wants/*;\ rm -f /lib/systemd/system/local-fs.target.wants/*; \ rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ rm -f /lib/systemd/system/basic.target.wants/*;\ rm -f /lib/systemd/system/anaconda.target.wants/*; VOLUME [ "/sys/fs/cgroup" ] CMD ["/usr/sbin/init"] RUN yum -y install httpd; yum clean all; systemctl enable httpd.service EXPOSE 80 2.docker build --rm -t local/c7-systemd-httpd . 3.docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd Actual results: [!!!!!!] Failed to mount API filesystems, freezing. And then nothing happen, it freezes. Expected results: [ OK ] Reached target Paths. [ OK ] Reached target Local File Systems. [ OK ] Created slice Root Slice. [ OK ] Created slice System Slice. [ OK ] Listening on Journal Socket. Starting Create Volatile Files and Directories... ... [ OK ] Reached target Multi-User System. Additional info: With these commands: docker run -ti --cap-add SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd docker run -ti --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd We have the expected result. Using docker-engine 1.12.2 and CentOs 7.2.1511. When using systemd just to start one service in a container, we should not enable too much priviledge just for systemd.
A bug report has been written previously in https://github.com/CentOS/sig-cloud-instance-images/issues/54 . Then someone sent me here.
I would guess that systemd is trying to mount /run, because it wants to have it on tmpfs. Try to use "-v /run"
docker run -ti -v /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd gives [!!!!!!] Failed to mount API filesystems, freezing. Deleting the container gives Error response from daemon: devmapper: Unknown device 3ba40886392a40ad357a0f930f47814d95db573e2eaa809ac2d3335038c10d65 This latter message does not appear without -v /run. With -v /run:/run, or --tmpfs /run --tmpfs /var --tmpfs /var/run, I have the same error.
Why is this a bug in systemd?
Although systemd works in normal Linux distribution, it does not work in restricted environment (like docker).
This is no longer reproducible with docker-1.12.6-48.git0fdc778.el7.x86_64 and systemd-219-42.el7.x86_64. Fixed in RHEL-7.4.