1392526 – Systemd in Docker container need too much priviledge

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1392526 - Systemd in Docker container need too much priviledge

Summary: Systemd in Docker container need too much priviledge

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	systemd-maint
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1563025
TreeView+	depends on / blocked

Reported:	2016-11-07 16:51 UTC by Antoine TRAN
Modified:	2018-04-03 00:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1563025 (view as bug list)
Environment:
Last Closed:	2017-08-03 07:49:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Antoine TRAN 2016-11-07 16:51:54 UTC

Description of problem:
The systemd component in a Docker container, such as centos:7, needs too much priviledge (either docker run --priviledge ... or docker run --cap-add SYS_ADMIN ...).

Version-Release number of selected component (if applicable):
19.el7_2.13

How reproducible:
Follow https://hub.docker.com/_/centos/ chapter "Systemd integration", as an attempt to run httpd with system. Here are the steps below.

Steps to Reproduce:
1. Creates the file Dockerfile with content:
FROM centos:7
MAINTAINER "you" <your>
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]
RUN yum -y install httpd; yum clean all; systemctl enable httpd.service
EXPOSE 80
2.docker build --rm -t local/c7-systemd-httpd .
3.docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd

Actual results:
[!!!!!!] Failed to mount API filesystems, freezing.
And then nothing happen, it freezes.

Expected results:
[  OK  ] Reached target Paths.
[  OK  ] Reached target Local File Systems.
[  OK  ] Created slice Root Slice.
[  OK  ] Created slice System Slice.
[  OK  ] Listening on Journal Socket.
         Starting Create Volatile Files and Directories...
...
[  OK  ] Reached target Multi-User System.


Additional info:
With these commands:
docker run -ti --cap-add SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
docker run -ti --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
We have the expected result.
Using docker-engine 1.12.2 and CentOs 7.2.1511.

When using systemd just to start one service in a container, we should not enable too much priviledge just for systemd.

Comment 1 Antoine TRAN 2016-11-07 16:53:42 UTC

A bug report has been written previously in https://github.com/CentOS/sig-cloud-instance-images/issues/54 . Then someone sent me here.

Comment 2 Lukáš Nykrýn 2016-11-08 08:14:28 UTC

I would guess that systemd is trying to mount /run, because it wants to have it on tmpfs. Try to use  "-v /run"

Comment 3 Antoine TRAN 2016-11-08 09:02:35 UTC

docker run -ti -v /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
gives
[!!!!!!] Failed to mount API filesystems, freezing.
Deleting the container gives
Error response from daemon: devmapper: Unknown device 3ba40886392a40ad357a0f930f47814d95db573e2eaa809ac2d3335038c10d65

This latter message does not appear without -v /run.

With -v /run:/run, or --tmpfs /run --tmpfs /var --tmpfs /var/run, I have the same error.

Comment 5 Jan Synacek 2016-11-09 11:11:08 UTC

Why is this a bug in systemd?

Comment 6 Antoine TRAN 2016-11-09 13:15:02 UTC

Although systemd works in normal Linux distribution, it does not work in restricted environment (like docker).

Comment 8 Jan Synacek 2017-08-03 07:49:42 UTC

This is no longer reproducible with docker-1.12.6-48.git0fdc778.el7.x86_64 and systemd-219-42.el7.x86_64.

Fixed in RHEL-7.4.

Note You need to log in before you can comment on or make changes to this bug.