Using systemd in docker


#1

It is convenient to be able to use systemd when a software depends on it to run. It does not work out of the box though. @pilou ilou suggested the following, based on a blog post, within molecule:

platforms:
   # See https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
  - name: molecule_test_instance
    image: ${BASE_IMAGE:-debian:stretch}
    command: /sbin/init
    security_opts: ['seccomp=unconfined']
    # seccomp profile is available here: https://src.fedoraproject.org/rpms/docker/raw/master/f/seccomp.json
    tmpfs: ['/tmp', '/run', '/run/lock']
    volumes: ['/sys/fs/cgroup:/sys/fs/cgroup:ro']
    env
      container: docker

Which is equivalent to the following CLI, more or less docker run -it -e container=docker --security-opt seccomp=unconfined --stop-signal=SIGRTMIN+3 --tmpfs /tmp --tmpfs /run --tmpfs /run/lock -v /sys/fs/cgroup:/sys/fs/cgroup:ro debian_with_systemd /sbin/init

To install systemd in the Dockerfile:

RUN if [ $(command -v apt-get) ]; then \
         apt-get install -y systemd-sysv \
         && apt-get clean && rm -rf /var/lib/apt/lists/* ; \
    fi

STOPSIGNAL SIGRTMIN+3

#2

The author of the certbot role uses a similar technique in the debian9 image he uses for molecule tests.


#3

Main difference: author of certbot use privileged container.