On Mon, 02.03.15 09:17, Daniel J Walsh (dwalsh@redhat.com) wrote:
On 03/01/2015 10:41 PM, Michael DePaulo wrote:
Hi,
I am developing a Dockerfile for X2Go. I intend to submit a PR to fedora-Dockerfiles within a week.
https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go
(X2Go was already added in F20) https://fedoraproject.org/wiki/Changes/X2Go
Example Dockerfile with systemd: https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/systemd/apach...
However, I would like to know if the Fedora project still recommends that I use systemd, or if I should resort to using supervisord or a shell script.
I merely need to start sshd and x2gocleansessions. Both have systemd unit files, but can be run via an init script too.
When I do try systemd, I am experiencing known issues with cgroups and with mounting /run, unless I run a privileged container. It has been a while since there were any comments on the CLOSED NOTABUG bz on these issues. https://bugzilla.redhat.com/show_bug.cgi?id=1033604
-Mike
We are continuing to work on making running systemd within a container better. I am trying to get a /run on tmpfs patch to be acceptable upstream. But we still have a problem with systemd requiring /sys/fs/cgroup to be mounted inside the container to run. Which allows for an information leak.
You'd have to get the kernel changed for that "information leak" to be fixed.
That said, containers on Linux are not really about security, the whole thing has more holes than a swiss cheese. Maybe one day the security holes can be fixed, but as of now, it's simply not secure. And this "information leak" is certainly the least of your problems...
Lennart