Bug 1734028 - Running systemd in container under moby-engine fails [NEEDINFO]
Summary: Running systemd in container under moby-engine fails
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: moby-engine
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Olivier Lemasle
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-29 13:24 UTC by Jan Pazdziora
Modified: 2020-05-06 13:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
jpazdziora: needinfo? (o.lemasle)


Attachments (Terms of Use)

Description Jan Pazdziora 2019-07-29 13:24:51 UTC
Description of problem:

On Fedora 30 with docker-1.13.1-67.git1185cfd.fc30.x86_64, it is possible to run systemd in container with

  docker run --rm -t registry.fedoraproject.org/fedora /usr/sbin/init

It does not show the systemd status due to other bugs but it runs and

  docker exec <container-id> systemctl

confirms that.

The only thing needed to get this working is

  setsebool container_manage_cgroup 1

With moby-engine instead of docker, that very same command fails.

Version-Release number of selected component (if applicable):

moby-engine-18.06.3-2.ce.gitd7080c1.fc30.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y moby-engine
2. setsebool container_manage_cgroup 1
3. systemctl start docker
4. docker run --rm -t registry.fedoraproject.org/fedora /usr/sbin/init

Actual results:

Failed to mount tmpfs at /run: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

Expected results:

Nothing printed out to terminal but container running like with docker, or

systemd v241-9.gitb67ecf2.fc30 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Fedora 30 (Container Image)!

Set hostname to <cbd53991ddce>.
Initializing machine ID from random generator.
File /usr/lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[  OK  ] Reached target Swap.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
[...]

Additional info:

Comment 1 Jan Pazdziora 2019-07-29 13:25:57 UTC
I'd expect the behaviour to match the old docker package, given that in Fedora rawhide, moby-engine acts as docker replacement:

# rpm -q --provides moby-engine
config(moby-engine) = 18.09.8-1.ce.git0dd43dd.fc31
docker = 18.09.8-1.ce.git0dd43dd.fc31
docker-latest = 18.09.8-1.ce.git0dd43dd.fc31
moby-engine = 18.09.8-1.ce.git0dd43dd.fc31
moby-engine(x86-64) = 18.09.8-1.ce.git0dd43dd.fc31

Comment 2 Jan Pazdziora 2019-07-29 13:27:11 UTC
I notice that moby-engine does not pull in any of the oci-* hook packages. However, even installing oci-systemd-hook manually does not help.

Comment 3 Jan Pazdziora 2019-07-29 13:27:41 UTC
It seems that moby-engine not running OCI hooks was reported in bug 1634148.

Comment 4 Jan Pazdziora 2019-07-29 13:29:24 UTC
It seems that it's necessary to use the --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /tmp options with moby-engine, like it was necessary with the old docker package before oci-systemd-hook was introduced:

# docker run --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /tmp --rm -ti registry.fedoraproject.org/fedora /usr/sbin/init
systemd v241-9.gitb67ecf2.fc30 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Fedora 30 (Container Image)!

Set hostname to <c86bea7740b2>.
Initializing machine ID from random generator.
File /usr/lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[  OK  ] Reached target Slices.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Reached target Swap.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Started Dispatch Password …ts to Console Directory Watch.
[  OK  ] Started Forward Password R…uests to Wall Directory Watch.
[  OK  ] Reached target Local File Systems.
[  OK  ] Reached target Paths.
[  OK  ] Listening on Process Core Dump Socket.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
         Starting Rebuild Dynamic Linker Cache...
         Starting Journal Service...
         Starting Create System Users...
[  OK  ] Started Create System Users.
[  OK  ] Started Rebuild Dynamic Linker Cache.
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[...]

Comment 5 Jan Pazdziora 2019-08-12 07:56:44 UTC
Hello, any idea about the situation?

Comment 6 Ben Cotton 2020-04-30 21:22:37 UTC
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.


Note You need to log in before you can comment on or make changes to this bug.