Is systemd within a Docker container still recommended?

Mauricio Tavares raubvogel at gmail.com
Mon Mar 2 15:03:36 UTC 2015


On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung at 0pointer.de> wrote:
> On Mon, 02.03.15 09:17, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
>>
>> On 03/01/2015 10:41 PM, Michael DePaulo wrote:
>> > Hi,
>> >
>> > I am developing a Dockerfile for X2Go. I intend to submit a PR to
>> > fedora-Dockerfiles within a week.
>> >
>> > https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go
>> >
>> > (X2Go was already added in F20)
>> > https://fedoraproject.org/wiki/Changes/X2Go
>> >
>> > Example Dockerfile with systemd:
>> > https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/systemd/apache/Dockerfile
>> >
>> > However, I would like to know if the Fedora project still recommends
>> > that I use systemd, or if I should resort to using supervisord or a
>> > shell script.
>> >
>> > I merely need to start sshd and x2gocleansessions. Both have systemd
>> > unit files, but can be run via an init script too.
>> >
>> > When I do try systemd, I am experiencing known issues with cgroups and
>> > with mounting /run, unless I run a privileged container. It has been a
>> > while since there were any comments on the CLOSED NOTABUG bz on these
>> > issues.
>> > https://bugzilla.redhat.com/show_bug.cgi?id=1033604
>> >
>> > -Mike
>> We are continuing to work on making running systemd within a container
>> better.
>> I am trying to get a /run on tmpfs patch to be acceptable upstream.  But
>> we still
>> have a problem with systemd requiring /sys/fs/cgroup to be mounted
>> inside the container
>> to run.  Which allows for an information leak.
>
> You'd have to get the kernel changed for that "information leak" to be
> fixed.
>
> That said, containers on Linux are not really about security, the
> whole thing has more holes than a swiss cheese. Maybe one day the
> security holes can be fixed, but as of now, it's simply not
> secure. And this "information leak" is certainly the least of your
> problems...
>
      What would then be the recommended solution if containers are insecure?

> Lennart
>
> --
> Lennart Poettering, Red Hat
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct


More information about the devel mailing list