<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 02/10/2016 11:16 AM, Lennart Poettering wrote: </div> <blockquote cite="mid:20160210161639.GA17771@gardel-login" type="cite"> <pre wrap="">On Wed, 10.02.16 10:56, Daniel J Walsh (<a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>) wrote: </pre> <blockquote type="cite"> <pre wrap="">On Fedora I see a few services starting up and failing when I run systemd, I have been able to disable these by executing. RUN systemctl disable sysinit.target remote-fs.target systemd-remount-fs;\ </pre> </blockquote> <pre wrap=""> sysinit.target and systemd-remount-fs.service are static units; they cannot be enabled via "systemctl enable" or disabled via "systemctl disable". That part should be a NOP and should not have any effect; you can drop it. remote-fs.target has no value either, unless there actually are NFS mounts listed in /etc/fstab. I am pretty sure there aren't any for in your container, are there? Hence, this really sounds like something you can drop too, without any change in behaviour. </pre> </blockquote> I was seeing failed mounts inside the container until I removed these. I can remove these lines to see if the failed mounts come back. But there should be nothing in the container that does a mount, unless someone put bogus stuff in the Fedora base container. This is what the dockerfile looks like that I am building and testing with systemd. ``` Cat Dockerfile <pre>FROM fedora:23 MAINTAINER Dan Walsh ENV container docker RUN dnf -y install httpd; dnf clean all; systemctl enable httpd; systemctl disable dnf* dnf-makecache.timer RUN systemctl disable sysinit.target remote-fs.target systemd-remount-fs;\ systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service systemd-udev-settle.service systemd-udev-trigger.service systemd-udevd.service systemd-udevd-control.socket systemd-udevd-kernel.socket; \ rm -f /lib/systemd/system/multi-user.target.wants/systemd* /lib/systemd/system/multi-user.target.wants/getty*;\ sed -i 's/^enable/disable/g' /lib/systemd/system-preset/* </pre> <pre>EXPOSE 80 CMD [ "/sbin/init" ] </pre> ``` <blockquote cite="mid:20160210161639.GA17771@gardel-login" type="cite"> <pre wrap=""> </pre> <blockquote type="cite"> <pre wrap=""> systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service systemd-udev-settle.service systemd-udev-trigger.service systemd-udevd.service systemd-udevd-control.socket systemd-udevd-kernel.socket; \ </pre> </blockquote> <pre wrap=""> The systemd-firstboot service should have no effect unless you actually boot with an empty /etc (or more accuratily: unless you actually boot with an /etc that lacks /etc/machine-id) . Note that it carries a condition ConditionFirstBoot=yes which makes sure that it isn't even executed in normal cases. </pre> </blockquote> I see in the logs systemd complaining about no systemd-firstboot command. <blockquote cite="mid:20160210161639.GA17771@gardel-login" type="cite"> <pre wrap=""> Masking all the udev stuff is pretty pointless too. These services are conditioned out in containers too anyway. There's really no need to mask them out. More specifically, they contain ConditionPathIsReadWrite=/sys, i.e. are skipped if /sys is read-only, which is the way how container managers should set up /sys (it's a big security hole to allow containers write access to /sys). My recommendation would be to make sure you container manager implements these recommendations: </pre> </blockquote> I am just seeing mentions of udev inside of the container, What I don't want is messages inside of the journal or bootup that look like systemd is trying to run firstboot, udev etc. <blockquote cite="mid:20160210161639.GA17771@gardel-login" type="cite"> <pre wrap=""> <a class="moz-txt-link-freetext" href="https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/">https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/</a> If your container manager follows these guidelines (of which the /sys being read-only thing is one), then there should be no special hacks necessary in systemd, as it should just work, and detect the slight semantica changes of containers correctly and avoid them cleanly. </pre> <blockquote type="cite"> <pre wrap=""> rm -f /lib/systemd/system/multi-user.target.wants/systemd* /lib/systemd/system/multi-user.target.wants/getty*;\ </pre> </blockquote> <pre wrap=""> What's the rationale for this? First of all, the getty stuff appears entirely unnecessary as <a class="moz-txt-link-abbreviated" href="mailto:getty@.service">getty@.service</a> (which is the only thing generally linked from gettys.target these days) contains ConditionPathExists=/dev/tty0 which means it's already skipped when run on systems lacking a VC (such as containers). </pre> </blockquote> Again, I am seeing getty@ failures inside of the container. <blockquote cite="mid:20160210161639.GA17771@gardel-login" type="cite"> <pre wrap=""> And the other services you are removing here: what's the point? they aren't really optional, that's why they are linked from /usr/lib, rather than subject to systemctl enable/disable... </pre> <blockquote type="cite"> <pre wrap=""> sed -i 's/^enable/disable/g' /lib/systemd/system-preset/* </pre> </blockquote> <pre wrap=""> Why would this matter?</pre> </blockquote> We don't want excess services running inside of a docker container. I only want systemd/journald and any services that I enable in the container. Not something pulled in because the installer thinks this is a VM or a Host OS. <blockquote cite="mid:20160210161639.GA17771@gardel-login" type="cite"> <pre wrap=""> </pre> <blockquote type="cite"> <pre wrap="">Could someone look at these and tell me if I went too far. I would like to get these commands as the default for systemd in the base RHEL/Fedora and Centos containers. </pre> </blockquote> <pre wrap=""> I don't follow at all. None of this is necessary. systemd works fine in containers as long as the container manager follows these guidelines: <a class="moz-txt-link-freetext" href="https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/">https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/</a> nspawn implements all of this, and docker really should too... Lennart </pre> </blockquote> If I remove these I end up seeing my systemd based container boot up with these messages. <pre># docker run -ti $(/usr/bin/docker-systemd-setup) --name httpd2 httpd systemd 222 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization docker. Detected architecture x86-64. Welcome to Fedora 23 (Twenty Three)! Set hostname to <ba64338e2b1a>. Running in a container, ignoring fstab device entry for /dev/disk/by-uuid/2cd63037-e967-4e87-b29b-044190721e80. sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit sys-fs-fuse-connections.mount is masked. dev-hugepages.mount: Cannot add dependency job, ignoring: Unit dev-hugepages.mount is masked. systemd-remount-fs.service: Cannot add dependency job, ignoring: Unit systemd-remount-fs.service is masked. systemd-logind.service: Cannot add dependency job, ignoring: Unit systemd-logind.service is masked. getty.target: Cannot add dependency job, ignoring: Unit getty.target is masked. [ OK ] Reached target Encrypted Volumes. [ OK ] Created slice Root Slice. [ OK ] Listening on Journal Socket. [ OK ] Listening on Journal Socket (/dev/log). [ OK ] Reached target Remote File Systems. [ OK ] Reached target Paths. [ OK ] Created slice System Slice. ... I want to get rid of these mount messages, getty messages systemd-logind messages... </pre> </body> </html>