[systemd-devel] Running systemd unprivileged in Docker container

[Daniel Walsh]

On 6/14/21 08:20, Lennart Poettering wrote:
> On Fr, 11.06.21 16:55, Johannes Ernst (johannes.ernst at gmail.com) wrote:
>
>> I can run a full Arch system (with systemd as PID 1) in a Docker container in Docker privileged mode:
>>      sudo docker run -i -t --privileged archlinux /usr/lib/systemd/systemd
>> but privileged mode is, well, a bit privileged. I believe used to be
>>      able to tone this down with something like:
> So, Docker has an upstream that is pretty hostile towards systemd. As
> result, while pretty much all other container managers mostly just
> work with systemd as payload, Docker does not.
>
> We document extensively what expectations we have on a container
> manager for things to just work:
>
> https://systemd.io/CONTAINER_INTERFACE
>
> The requirements aren't crazy, the few requirements of the above you
> really need shold be pretty common sense, yet Docker isn't interested.
>
> My recommendation would be to pick an alternative container manager
> with a less hostile upstream. e.g. podman is supposedly a drop-in
> replacement and should just work.
>
> If you want to use Docker anyway, I figure you have to make sure you
> boot in cgroupsv1 mode (last time I looked the cgroupsv2 support in
> Docker wasn't really more than an experiment), and stick to that. Make
> sure that cgroupns is enabled, and that /sys/fs/cgroup/ is a tmpfs,
> and /sys/fs/cgroup/systemd a cgroupfs mount of the top of the cgroup
> namespace the container runs in, and that it is writable.
>
> Not sure how to configure that with Docker, as I am not a Docker
> person. Ideally this would be the default setup of Docker, but well,
> apparently it isn't.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
Just try it with Podman and see if it works.