Is systemd within a Docker container still recommended?
Lennart Poettering
mzerqung at 0pointer.de
Mon Mar 2 14:42:13 UTC 2015
On Mon, 02.03.15 09:17, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
> On 03/01/2015 10:41 PM, Michael DePaulo wrote:
> > Hi,
> >
> > I am developing a Dockerfile for X2Go. I intend to submit a PR to
> > fedora-Dockerfiles within a week.
> >
> > https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go
> >
> > (X2Go was already added in F20)
> > https://fedoraproject.org/wiki/Changes/X2Go
> >
> > Example Dockerfile with systemd:
> > https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/systemd/apache/Dockerfile
> >
> > However, I would like to know if the Fedora project still recommends
> > that I use systemd, or if I should resort to using supervisord or a
> > shell script.
> >
> > I merely need to start sshd and x2gocleansessions. Both have systemd
> > unit files, but can be run via an init script too.
> >
> > When I do try systemd, I am experiencing known issues with cgroups and
> > with mounting /run, unless I run a privileged container. It has been a
> > while since there were any comments on the CLOSED NOTABUG bz on these
> > issues.
> > https://bugzilla.redhat.com/show_bug.cgi?id=1033604
> >
> > -Mike
> We are continuing to work on making running systemd within a container
> better.
> I am trying to get a /run on tmpfs patch to be acceptable upstream. But
> we still
> have a problem with systemd requiring /sys/fs/cgroup to be mounted
> inside the container
> to run. Which allows for an information leak.
You'd have to get the kernel changed for that "information leak" to be
fixed.
That said, containers on Linux are not really about security, the
whole thing has more holes than a swiss cheese. Maybe one day the
security holes can be fixed, but as of now, it's simply not
secure. And this "information leak" is certainly the least of your
problems...
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list