1734028 – Running systemd in container under moby-engine fails

Bug 1734028 - Running systemd in container under moby-engine fails [NEEDINFO]

Summary: Running systemd in container under moby-engine fails

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	moby-engine
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Olivier Lemasle
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-29 13:24 UTC by Jan Pazdziora
Modified:	2019-08-12 07:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Dependent Products:
Flags:	jpazdziora: needinfo? (o.lemasle)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan Pazdziora 2019-07-29 13:24:51 UTC

Description of problem:

On Fedora 30 with docker-1.13.1-67.git1185cfd.fc30.x86_64, it is possible to run systemd in container with

  docker run --rm -t registry.fedoraproject.org/fedora /usr/sbin/init

It does not show the systemd status due to other bugs but it runs and

  docker exec <container-id> systemctl

confirms that.

The only thing needed to get this working is

  setsebool container_manage_cgroup 1

With moby-engine instead of docker, that very same command fails.

Version-Release number of selected component (if applicable):

moby-engine-18.06.3-2.ce.gitd7080c1.fc30.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y moby-engine
2. setsebool container_manage_cgroup 1
3. systemctl start docker
4. docker run --rm -t registry.fedoraproject.org/fedora /usr/sbin/init

Actual results:

Failed to mount tmpfs at /run: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

Expected results:

Nothing printed out to terminal but container running like with docker, or

systemd v241-9.gitb67ecf2.fc30 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Fedora 30 (Container Image)!

Set hostname to <cbd53991ddce>.
Initializing machine ID from random generator.
File /usr/lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[  OK  ] Reached target Swap.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
[...]

Additional info:

Comment 1 Jan Pazdziora 2019-07-29 13:25:57 UTC

I'd expect the behaviour to match the old docker package, given that in Fedora rawhide, moby-engine acts as docker replacement:

# rpm -q --provides moby-engine
config(moby-engine) = 18.09.8-1.ce.git0dd43dd.fc31
docker = 18.09.8-1.ce.git0dd43dd.fc31
docker-latest = 18.09.8-1.ce.git0dd43dd.fc31
moby-engine = 18.09.8-1.ce.git0dd43dd.fc31
moby-engine(x86-64) = 18.09.8-1.ce.git0dd43dd.fc31

Comment 2 Jan Pazdziora 2019-07-29 13:27:11 UTC

I notice that moby-engine does not pull in any of the oci-* hook packages. However, even installing oci-systemd-hook manually does not help.

Comment 3 Jan Pazdziora 2019-07-29 13:27:41 UTC

It seems that moby-engine not running OCI hooks was reported in bug 1634148.

Comment 4 Jan Pazdziora 2019-07-29 13:29:24 UTC

It seems that it's necessary to use the --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /tmp options with moby-engine, like it was necessary with the old docker package before oci-systemd-hook was introduced:

# docker run --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /tmp --rm -ti registry.fedoraproject.org/fedora /usr/sbin/init
systemd v241-9.gitb67ecf2.fc30 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Fedora 30 (Container Image)!

Set hostname to <c86bea7740b2>.
Initializing machine ID from random generator.
File /usr/lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[  OK  ] Reached target Slices.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Reached target Swap.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Started Dispatch Password …ts to Console Directory Watch.
[  OK  ] Started Forward Password R…uests to Wall Directory Watch.
[  OK  ] Reached target Local File Systems.
[  OK  ] Reached target Paths.
[  OK  ] Listening on Process Core Dump Socket.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
         Starting Rebuild Dynamic Linker Cache...
         Starting Journal Service...
         Starting Create System Users...
[  OK  ] Started Create System Users.
[  OK  ] Started Rebuild Dynamic Linker Cache.
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[...]

Comment 5 Jan Pazdziora 2019-08-12 07:56:44 UTC

Hello, any idea about the situation?

Note You need to log in before you can comment on or make changes to this bug.