Bug 1734028 - Running systemd in container under moby-engine fails
Summary: Running systemd in container under moby-engine fails
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: moby-engine
Version: 34
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Olivier Lemasle
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-29 13:24 UTC by Jan Pazdziora (Red Hat)
Modified: 2023-09-15 01:28 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-06-08 06:26:59 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2019-07-29 13:24:51 UTC
Description of problem:

On Fedora 30 with docker-1.13.1-67.git1185cfd.fc30.x86_64, it is possible to run systemd in container with

  docker run --rm -t registry.fedoraproject.org/fedora /usr/sbin/init

It does not show the systemd status due to other bugs but it runs and

  docker exec <container-id> systemctl

confirms that.

The only thing needed to get this working is

  setsebool container_manage_cgroup 1

With moby-engine instead of docker, that very same command fails.

Version-Release number of selected component (if applicable):

moby-engine-18.06.3-2.ce.gitd7080c1.fc30.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y moby-engine
2. setsebool container_manage_cgroup 1
3. systemctl start docker
4. docker run --rm -t registry.fedoraproject.org/fedora /usr/sbin/init

Actual results:

Failed to mount tmpfs at /run: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

Expected results:

Nothing printed out to terminal but container running like with docker, or

systemd v241-9.gitb67ecf2.fc30 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Fedora 30 (Container Image)!

Set hostname to <cbd53991ddce>.
Initializing machine ID from random generator.
File /usr/lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[  OK  ] Reached target Swap.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
[...]

Additional info:

Comment 1 Jan Pazdziora (Red Hat) 2019-07-29 13:25:57 UTC
I'd expect the behaviour to match the old docker package, given that in Fedora rawhide, moby-engine acts as docker replacement:

# rpm -q --provides moby-engine
config(moby-engine) = 18.09.8-1.ce.git0dd43dd.fc31
docker = 18.09.8-1.ce.git0dd43dd.fc31
docker-latest = 18.09.8-1.ce.git0dd43dd.fc31
moby-engine = 18.09.8-1.ce.git0dd43dd.fc31
moby-engine(x86-64) = 18.09.8-1.ce.git0dd43dd.fc31

Comment 2 Jan Pazdziora (Red Hat) 2019-07-29 13:27:11 UTC
I notice that moby-engine does not pull in any of the oci-* hook packages. However, even installing oci-systemd-hook manually does not help.

Comment 3 Jan Pazdziora (Red Hat) 2019-07-29 13:27:41 UTC
It seems that moby-engine not running OCI hooks was reported in bug 1634148.

Comment 4 Jan Pazdziora (Red Hat) 2019-07-29 13:29:24 UTC
It seems that it's necessary to use the --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /tmp options with moby-engine, like it was necessary with the old docker package before oci-systemd-hook was introduced:

# docker run --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /tmp --rm -ti registry.fedoraproject.org/fedora /usr/sbin/init
systemd v241-9.gitb67ecf2.fc30 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Fedora 30 (Container Image)!

Set hostname to <c86bea7740b2>.
Initializing machine ID from random generator.
File /usr/lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[  OK  ] Reached target Slices.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Reached target Swap.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Started Dispatch Password …ts to Console Directory Watch.
[  OK  ] Started Forward Password R…uests to Wall Directory Watch.
[  OK  ] Reached target Local File Systems.
[  OK  ] Reached target Paths.
[  OK  ] Listening on Process Core Dump Socket.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
         Starting Rebuild Dynamic Linker Cache...
         Starting Journal Service...
         Starting Create System Users...
[  OK  ] Started Create System Users.
[  OK  ] Started Rebuild Dynamic Linker Cache.
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[...]

Comment 5 Jan Pazdziora (Red Hat) 2019-08-12 07:56:44 UTC
Hello, any idea about the situation?

Comment 6 Ben Cotton 2020-04-30 21:22:37 UTC
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 7 Fedora Program Management 2021-04-29 15:56:07 UTC
This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Ben Cotton 2022-05-12 16:54:32 UTC
This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 9 Ben Cotton 2022-06-08 06:26:59 UTC
Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07.

Fedora Linux 34 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 10 Red Hat Bugzilla 2023-09-15 01:28:30 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days


Note You need to log in before you can comment on or make changes to this bug.