[systemd-devel] container into systemd-nspawn machine
Lennart Poettering
lennart at poettering.net
Tue Nov 7 15:39:43 UTC 2017
On Mo, 06.11.17 12:35, Juanjo Presa (juanjop at gmail.com) wrote:
> Hi,
> I am trying to run concourse CI (CI that run build process into
> docker/runc/whatever containers) on systemd-nspawn. I will try to explain
> what i do:
>
> 1.- First I make a .raw file that install/setup app (with mkosi).
> 2.- Run concourse container with "systemd-nspawn -bi concourse.raw
> --capability=all". App works but fails when starting docker container:
>
> runc create: exit status 1: container_linux.go:264: starting container
> process caused "process_linux.go:261: applying cgroup configuration for
> process caused \"mkdir
> /sys/fs/cgroup/cpuset/8638cb95-bbbc-4719-4509-5a1789fb100a: read-only file
> system\""
>
> 3.- Run binding cgroups filesystem rw with: "systemd-nspawn -bi
> concourse.raw --capability=all --bind=/sys/fs/cgroup". Failing again with:
>
> runc create: exit status 1: container_linux.go:264: starting container
> process caused "process_linux.go:339: container init caused
> \"rootfs_linux.go:69: creating device nodes caused \\"no such file or
> directory\\"\""
>
> Do you have any hint about how can I solve this problem? Thanks in
> advance.
You can't. Docker is broken. It shouldn't directly write to the
top-level control group. It should only operate within the cgroup it
gets assigned by systemd, and turn Delegate=yes on for it, so that
systemd knows that it wants to manage its own cgroup subtree.
Anything else voids your warranty, and breaks at various places, like
the above.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list