Docker files for an unprivileged systemd container based on CentOS 7.
This image is intended to be a base for other images.
To build it simply execute
To run a container simply execute
[root@mwysocki docker-systemd-unpriv]# ./build.sh Sending build context to Docker daemon 122.4 kB Sending build context to Docker daemon Step 0 : FROM centos:centos7 ---> 7322fbe74aa5 Step 1 : MAINTAINER Marcel Wysocki "email@example.com" ---> Using cache ---> 00c8b93cf714 Step 2 : ENV container docker ---> Using cache ---> 9b8f4fb8200a Step 3 : RUN yum -y update; yum clean all ---> Using cache ---> 3345a7b137ca Step 4 : RUN yum -y swap -- remove systemd-container systemd-container-libs -- install systemd systemd-libs dbus ---> Using cache ---> b96655caefbc Step 5 : RUN systemctl mask dev-mqueue.mount dev-hugepages.mount systemd-remount-fs.service sys-kernel-config.mount sys-kernel-debug.mount sys-fs-fuse-connections.mount display-manager.service graphical.target systemd-logind.service ---> Running in 15346731ae25 ---> 1ee09b86a67b Removing intermediate container 15346731ae25 Step 6 : ADD dbus.service /etc/systemd/system/dbus.service ---> 30046edacbd0 Removing intermediate container 84556db3d846 Step 7 : RUN systemctl enable dbus.service ---> Running in 151ced2a823e ---> fd86e74cf704 Removing intermediate container 151ced2a823e Step 8 : VOLUME /sys/fs/cgroup ---> Running in bd81371550ca ---> 1c888d9613f8 Removing intermediate container bd81371550ca Step 9 : VOLUME /run ---> Running in 1bcb2d277021 ---> de4f43ca3837 Removing intermediate container 1bcb2d277021 Step 10 : CMD /usr/lib/systemd/systemd ---> Running in b660c5d8cba6 ---> 1d7ff7bdbd64 Removing intermediate container b660c5d8cba6 Successfully built 1d7ff7bdbd64 [root@mwysocki docker-systemd-unpriv]# ./run.sh Wed Jul 29 17:11:14 CEST 2015 1302a1dbd5ff09e720c566ea6b87f1233f0cc14370022a900bdc84e8d07a27f5 To enter docker container run: docker exec -t -i 1302a1dbd5ff09e720c566ea6b87f1233f0cc14370022a900bdc84e8d07a27f5 /bin/bash [root@mwysocki docker-systemd-unpriv]# docker exec -t -i 1302a1dbd5ff09e720c566ea6b87f1233f0cc14370022a900bdc84e8d07a27f5 /bin/bash [root@1302a1dbd5ff /]# ps -ux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.7 0.0 53584 3328 ? Ss 15:11 0:00 /usr/lib/systemd/systemd root 14 0.1 0.0 43024 5232 ? Ss 15:11 0:00 /usr/lib/systemd/systemd-journald root 24 0.4 0.0 11748 1940 ? Ss 15:11 0:00 /bin/bash root 39 0.0 0.0 19772 1476 ? R+ 15:11 0:00 ps -ux [root@1302a1dbd5ff /]#
As an alternative you can get a pre-built container:
docker pull maci0/systemd
Or just run it using the default docker command (this should pull the image automatically):
docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro maci0/systemd
For more information see: https://registry.hub.docker.com/u/maci0/systemd/ or http://www.docker.com
Thanks for editing the dockerfile. I was able to get it running with the code you provided. I'm wondering why we run the container in detach mode then connect to run bash.
Is there a way to do that with the CMD directive?
Already upgraded to 7.1. Image works fine here.
If by hanging you mean it doesnt give you a login prompt thats correct.
If you need a full OS with multi user capabilities in a container you should look at systemd-nspawn.
you are right. in RHEL 7.1 fakesystemd has been replaced with systemd-container and systemd-container-libs.
If you change it to
yum -y swap -- remove systemd-container systemd-container-libs -- install systemd systemd-libs
It should install the default systemd again. Im not sure about the implications here and what they actually changed in systemd-container. Maybe using that is enough already.
The whole point of my image was that there is no need for privileged mode, however you still need the cgroup mount.
See how I run it: https://github.com/maci0/docker-systemd-unpriv/blob/master/run.sh
Graphical target should be disabled, maybe we need to mask it as well.
I will toy around with it as soon as I got some free time and will adapt to centos 7.1
Thanks for sharing this Dockerfile.
Im having some trouble getting this to work.
The first issue I had was getting the file to build. I believe fakesystemd has been replaces with systemd-container and systemd-container-libs. Substitution those packages allowed the dockerfile to build.
The second Issue I have is running the conatiner. Looking at other dockerfiles i found online, which have similar contents, I see the start args being as follows:
docker run –privileged -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro <container>
In your example you are not using the privileged flag and also not mapping the volume to the one defined in the dockerfile.
Thirdly, When I am able to run the container using the command above, the container seems to hang. I dont have the exact log message as I am not in front of my dev machine. It is something to the effect of locating "Graphical Target".
Any help would be appreciated.