Running systemd in a Docker managed plugin

Question

How do you run systemd in a Docker managed plugin? With a normal container I can run centos/systemd and run an Apache server using their example Dockerfile

FROM centos/systemd
RUN yum -y install httpd; yum clean all; systemctl enable httpd.service
EXPOSE 80
CMD ["/usr/sbin/init"]

And running it as follows

docker build --rm --no-cache -t httpd .
docker run --privileged --name httpd -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 -d  httpd

However, when I try to make a managed plugin, there are some issues with the cgroups

I've tried putting in the config.json

    {
        "destination": "/sys/fs/cgroup",
        "source": "/sys/fs/cgroup",
        "type": "bind",
        "options": [
            "bind",
            "ro",
            "private"
        ]
    }

    {
        "destination": "/sys/fs/cgroup",
        "source": "/sys/fs/cgroup",
        "type": "bind",
        "options": [
            "bind",
            "ro",
            "rprivate"
        ]
    }

    {
        "destination": "/sys/fs/cgroup",
        "source": "/sys/fs/cgroup",
        "type": "bind",
        "options": [
            "rbind",
            "ro",
            "rprivate"
        ]
    }

I also tried the following which damages the host's cgroup which may require a hard reboot to recover.

    {
        "destination": "/sys/fs/cgroup/systemd",
        "source": "/sys/fs/cgroup/systemd",
        "type": "bind",
        "options": [
            "bind",
            "ro",
            "private"
        ]
    }

    {
        "destination": "/sys/fs/cgroup",
        "source": "/sys/fs/cgroup",
        "type": "bind",
        "options": [
            "bind",
            "ro",
            "private"
        ]
    }

It looks to be something to do with how opencontainer and moby interact https://github.com/moby/moby/issues/36861

score 0 · Accepted Answer · answered Apr 22 '18 at 15:33

This is how I did it on my https://github.com/trajano/docker-volume-plugins/tree/master/centos-mounted-volume-plugin

The key thing to do is preserve the /run/docker/plugins before systemd gets started and wipes the /run folder. Then make sure you create the socket in the new folder.

mkdir -p /dockerplugins
if [ -e /run/docker/plugins ]
then
  mount --bind /run/docker/plugins /dockerplugins
fi

The other thing is that Docker managed plugins add an implicit /sys/fs/cgroup AFTER the defined mounts in config so creating a readonly mount will not work unless it was rebound before starting up systemd.

mount --rbind /hostcgroup /sys/fs/cgroup

With the mount defined in config.json as

{
        "destination": "/hostcgroup",
        "source": "/sys/fs/cgroup",
        "type": "bind",
        "options": [
            "bind",
            "ro",
            "private"
        ]
}

Creating the socket needs to be customized since the plugin helpers write to /run/docker/plugins

l, err := sockets.NewUnixSocket("/dockerplugins/osmounted.sock", 0)
if err != nil {
    log.Fatal(err)
}
h.Serve(l)

The following shows the process above on how I achieved it on my plugin

score -1 · Answer 2 · answered Apr 18 '18 at 20:46

-1

You can run httpd in a centos container without systemd - atleast to the tests with the docker-systemctl-replacement script.

answered Apr 18 '18 at 20:46

Guido U. Draheim

3,038
1
20
19

I am using httpd as an example for a systemd service. I am writing my own service. – Archimedes Trajano Apr 18 '18 at 20:48
I am using it with quite a number of service scripts - both from known applications and the ones under development. – Guido U. Draheim Apr 20 '18 at 11:22
Except the question I asking is for the context of a Docker managed plugin. Not a typical container. – Archimedes Trajano Apr 20 '18 at 11:29
Well, then you may have to explain what you mean with a "docker managed plugin" because your examples still make a good match for an executable running in a container. ;) – Guido U. Draheim Apr 21 '18 at 08:53

Running systemd in a Docker managed plugin

2 Answers2