Is systemd within a Docker container still recommended?

Daniel J Walsh dwalsh at redhat.com
Mon Mar 2 19:33:04 UTC 2015 

On 03/02/2015 10:03 AM, Mauricio Tavares wrote:
> On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung at 0pointer.de> wrote:
>> On Mon, 02.03.15 09:17, Daniel J Walsh (dwalsh at redhat.com) wrote:
>>
>>> On 03/01/2015 10:41 PM, Michael DePaulo wrote:
>>>> Hi,
>>>>
>>>> I am developing a Dockerfile for X2Go. I intend to submit a PR to
>>>> fedora-Dockerfiles within a week.
>>>>
>>>> https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go
>>>>
>>>> (X2Go was already added in F20)
>>>> https://fedoraproject.org/wiki/Changes/X2Go
>>>>
>>>> Example Dockerfile with systemd:
>>>> https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/systemd/apache/Dockerfile
>>>>
>>>> However, I would like to know if the Fedora project still recommends
>>>> that I use systemd, or if I should resort to using supervisord or a
>>>> shell script.
>>>>
>>>> I merely need to start sshd and x2gocleansessions. Both have systemd
>>>> unit files, but can be run via an init script too.
>>>>
>>>> When I do try systemd, I am experiencing known issues with cgroups and
>>>> with mounting /run, unless I run a privileged container. It has been a
>>>> while since there were any comments on the CLOSED NOTABUG bz on these
>>>> issues.
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1033604
>>>>
>>>> -Mike
>>> We are continuing to work on making running systemd within a container
>>> better.
>>> I am trying to get a /run on tmpfs patch to be acceptable upstream.  But
>>> we still
>>> have a problem with systemd requiring /sys/fs/cgroup to be mounted
>>> inside the container
>>> to run.  Which allows for an information leak.
>> You'd have to get the kernel changed for that "information leak" to be
>> fixed.
>>
>> That said, containers on Linux are not really about security, the
>> whole thing has more holes than a swiss cheese. Maybe one day the
>> security holes can be fixed, but as of now, it's simply not
>> secure. And this "information leak" is certainly the least of your
>> problems...
>>
>       What would then be the recommended solution if containers are insecure?
Well we are trying to fix this, but as Lennart says, there are many
holes in the strategy at this
point.  I am working on a presentation that talks about different levels
of security.  As soon
as you get to Virtualization you get less security.

I would say running each service on an individual machine is the most
secure.  Running Each Service
on a separate VM is the second most, especially if you are using
SELInux/Svirt for separation of your VM's.
Third level is running each Service in a different container, (Again you
want SELinux for some separation).
Fourth is each Service running on the host, (Wrapped with SELinux). 
Fifth setenforce 0.


>> Lennart
>>
>> --
>> Lennart Poettering, Red Hat
>> --
>> devel mailing list
>> devel at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list