[systemd-devel] Running systemd unprivileged in Docker container

Lennart Poettering lennart at poettering.net
Mon Jun 14 12:20:53 UTC 2021


On Fr, 11.06.21 16:55, Johannes Ernst (johannes.ernst at gmail.com) wrote:

> I can run a full Arch system (with systemd as PID 1) in a Docker container in Docker privileged mode:
>     sudo docker run -i -t --privileged archlinux /usr/lib/systemd/systemd
> but privileged mode is, well, a bit privileged. I believe used to be
>     able to tone this down with something like:

So, Docker has an upstream that is pretty hostile towards systemd. As
result, while pretty much all other container managers mostly just
work with systemd as payload, Docker does not.

We document extensively what expectations we have on a container
manager for things to just work:

https://systemd.io/CONTAINER_INTERFACE

The requirements aren't crazy, the few requirements of the above you
really need shold be pretty common sense, yet Docker isn't interested.

My recommendation would be to pick an alternative container manager
with a less hostile upstream. e.g. podman is supposedly a drop-in
replacement and should just work.

If you want to use Docker anyway, I figure you have to make sure you
boot in cgroupsv1 mode (last time I looked the cgroupsv2 support in
Docker wasn't really more than an experiment), and stick to that. Make
sure that cgroupns is enabled, and that /sys/fs/cgroup/ is a tmpfs,
and /sys/fs/cgroup/systemd a cgroupfs mount of the top of the cgroup
namespace the container runs in, and that it is writable.

Not sure how to configure that with Docker, as I am not a Docker
person. Ideally this would be the default setup of Docker, but well,
apparently it isn't.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list