Is systemd within a Docker container still recommended?
raubvogel at gmail.com
Mon Mar 2 15:03:36 UTC 2015
On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung at 0pointer.de> wrote:
> On Mon, 02.03.15 09:17, Daniel J Walsh (dwalsh at redhat.com) wrote:
>> On 03/01/2015 10:41 PM, Michael DePaulo wrote:
>> > Hi,
>> > I am developing a Dockerfile for X2Go. I intend to submit a PR to
>> > fedora-Dockerfiles within a week.
>> > https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go
>> > (X2Go was already added in F20)
>> > https://fedoraproject.org/wiki/Changes/X2Go
>> > Example Dockerfile with systemd:
>> > https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/systemd/apache/Dockerfile
>> > However, I would like to know if the Fedora project still recommends
>> > that I use systemd, or if I should resort to using supervisord or a
>> > shell script.
>> > I merely need to start sshd and x2gocleansessions. Both have systemd
>> > unit files, but can be run via an init script too.
>> > When I do try systemd, I am experiencing known issues with cgroups and
>> > with mounting /run, unless I run a privileged container. It has been a
>> > while since there were any comments on the CLOSED NOTABUG bz on these
>> > issues.
>> > https://bugzilla.redhat.com/show_bug.cgi?id=1033604
>> > -Mike
>> We are continuing to work on making running systemd within a container
>> I am trying to get a /run on tmpfs patch to be acceptable upstream. But
>> we still
>> have a problem with systemd requiring /sys/fs/cgroup to be mounted
>> inside the container
>> to run. Which allows for an information leak.
> You'd have to get the kernel changed for that "information leak" to be
> That said, containers on Linux are not really about security, the
> whole thing has more holes than a swiss cheese. Maybe one day the
> security holes can be fixed, but as of now, it's simply not
> secure. And this "information leak" is certainly the least of your
What would then be the recommended solution if containers are insecure?
> Lennart Poettering, Red Hat
> devel mailing list
> devel at lists.fedoraproject.org
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel