[systemd-devel] Running systemd unprivileged in Docker container

Johannes Ernst johannes.ernst at gmail.com
Fri Jun 11 23:55:07 UTC 2021 

I can run a full Arch system (with systemd as PID 1) in a Docker container in Docker privileged mode:
    sudo docker run -i -t --privileged archlinux /usr/lib/systemd/systemd
but privileged mode is, well, a bit privileged. I believe used to be able to tone this down with something like:

    sudo docker run -i -t --cap-add=ALL -v /sys/fs/cgroup:/sys/fs/cgroup:ro archlinux /usr/lib/systemd/systemd
or even less capabilities than "all". But now I'm getting:

    systemd 248.3-2-arch running in system mode. (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
    Detected virtualization docker.
    Detected architecture x86-64.
    Detected first boot.

    Welcome to Arch Linux!

    Initializing machine ID from random generator.
    Failed to create /init.scope control group: Read-only file system
    Failed to allocate manager object: Read-only file system
    [!!!!!!] Failed to allocate manager object.
    Exiting PID 1...
I don't understand what that means. (Somebody likes exclamation marks.) What's the "manager object", and who is trying to allocate it?

Assuming that the "Read-only filesystem" in question is that /sys/fs/cgroup, when binding it into the container as read-write I get that instead:

    Failed to create /init.scope control group: No such file or directory
    Failed to allocate manager object: No such file or directory
This long Serverfault thread <https://serverfault.com/questions/1053187/systemd-fails-to-run-in-a-docker-container-when-using-cgroupv2-cgroupns-priva> may be related? Are they saying it's broken? Can it be done?

Posted this earlier <https://bbs.archlinux.org/viewforum.php?id=23> in the Arch forum, lots of views, no answers.

Thanks,



Johannes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20210611/9eb64f04/attachment.htm>

More information about the systemd-devel mailing list