【问题标题】:Systemd inside rootless podman container possible?可以在无根 podman 容器中进行系统化吗?
【发布时间】:2021-12-26 17:52:11
【问题描述】:

我想知道是否可以运行 rootless podman 容器并启用 systemd inside 容器(不要与控制容器本身的 systemd 服务混淆在主机系统级别!)?如果是,我需要什么?

这是一个简单的Dockerfile 我一直在尝试以非特权用户身份运行(以root身份运行良好!)

FROM ubuntu:focal         
                  
RUN apt-get -qqy update && apt-get -qqy --no-install-recommends install \
  init

# Start the systemd Init service by default
CMD ["/sbin/init"]

我注意到在$podman build -t foo:latest . 期间发生了以下情况。顺便说一句,这也发生在 root 用户中,因此可能与问题无关:

...
Setting up systemd (245.4-4ubuntu3.13) ...
Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service → /lib/systemd/system/getty@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target → /lib/systemd/system/remote-fs.target.
Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /lib/systemd/system/systemd-resolved.service.
Created symlink /etc/systemd/system/multi-user.target.wants/systemd-resolved.service → /lib/systemd/system/systemd-resolved.service.
ln: failed to create symbolic link '/etc/resolv.conf': Device or resource busy
Created symlink /etc/systemd/system/multi-user.target.wants/ondemand.service → /lib/systemd/system/ondemand.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service → /lib/systemd/system/systemd-pstore.service.
Initializing machine ID from random generator.
Cannot set file attribute for '/var/log/journal', value=0x00800000, mask=0x00800000, ignoring: Input/output error
...

通过$podman run -d foo:latest 使用该映像运行容器会导致 255 错误,我无法进一步调试。 podman ps 输出:

427b3ce050dc  localhost/foo:latest                  /sbin/init            6 seconds ago   Exited (255) 7 seconds ago                            quirky_poincare

我的 podman 版本是 3.3.1。有人知道这里发生了什么吗?如前所述,以 root 身份在相同的 Dockerfile 下构建和运行相同的容器会导致容器内的 systemd 完美运行!

更新

我通过loginctl enable-linger $user为用户启用lingering

为一个或多个用户启用/禁用用户逗留。如果为特定用户启用,则会在启动时为该用户生成用户管理器,并在注销后保留。这允许未登录的用户运行长时间运行的服务。将一个或多个用户名或数字 UID 作为参数。如果未指定参数,则为调用者会话的用户启用/禁用逗留。

更多详情请参阅manpage

【问题讨论】:

  • 是的,应该可以。您使用的是什么 Podman 版本?你在用什么命令?您是否看到任何错误消息?
  • thx @ErikSjölund 我在原帖中添加了更多信息!

标签: systemd podman


【解决方案1】:

是的,可以在无根 Podman 容器中运行 Systemd

我在 Fedora 35 笔记本电脑上使用 Podman 3.4.1 试用了您的示例。它似乎工作。也许您遇到了一些后来在更新的 Podman 版本中得到修复的错误?

[testuser@laptop ~]$ cat /etc/fedora-release 
Fedora release 35 (Thirty Five)
[testuser@laptop ~]$ podman --version
podman version 3.4.1
[testuser@laptop ~]$ mkdir testdir
[testuser@laptop ~]$ cd testdir
[testuser@laptop testdir]$ emacs Dockerfile
[testuser@laptop testdir]$ cat Dockerfile 
FROM ubuntu:focal         

RUN apt-get -qqy update && apt-get -qqy --no-install-recommends install \
  init

# Start the systemd Init service by default
CMD ["/sbin/init"]
[testuser@laptop e]$ podman build -t foo:latest .
STEP 1/3: FROM ubuntu:focal
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:focal...
Getting image source signatures
Copying blob 7b1a6ab2e44d done  
Copying config ba6acccedd done  
Writing manifest to image destination
Storing signatures
STEP 2/3: RUN apt-get -qqy update && apt-get -qqy --no-install-recommends install   init
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libapparmor1:amd64.
(Reading database ... 4127 files and directories currently installed.)
Preparing to unpack .../00-libapparmor1_2.13.3-7ubuntu5.1_amd64.deb ...
Unpacking libapparmor1:amd64 (2.13.3-7ubuntu5.1) ...
Selecting previously unselected package libcap2:amd64.
Preparing to unpack .../01-libcap2_1%3a2.32-1_amd64.deb ...
Unpacking libcap2:amd64 (1:2.32-1) ...
Selecting previously unselected package libargon2-1:amd64.
Preparing to unpack .../02-libargon2-1_0~20171227-0.2_amd64.deb ...
Unpacking libargon2-1:amd64 (0~20171227-0.2) ...
Selecting previously unselected package libdevmapper1.02.1:amd64.
Preparing to unpack .../03-libdevmapper1.02.1_2%3a1.02.167-1ubuntu1_amd64.deb ...
Unpacking libdevmapper1.02.1:amd64 (2:1.02.167-1ubuntu1) ...
Selecting previously unselected package libjson-c4:amd64.
Preparing to unpack .../04-libjson-c4_0.13.1+dfsg-7ubuntu0.3_amd64.deb ...
Unpacking libjson-c4:amd64 (0.13.1+dfsg-7ubuntu0.3) ...
Selecting previously unselected package libssl1.1:amd64.
Preparing to unpack .../05-libssl1.1_1.1.1f-1ubuntu2.9_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1f-1ubuntu2.9) ...
Selecting previously unselected package libcryptsetup12:amd64.
Preparing to unpack .../06-libcryptsetup12_2%3a2.2.2-3ubuntu2.3_amd64.deb ...
Unpacking libcryptsetup12:amd64 (2:2.2.2-3ubuntu2.3) ...
Selecting previously unselected package libip4tc2:amd64.
Preparing to unpack .../07-libip4tc2_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package libkmod2:amd64.
Preparing to unpack .../08-libkmod2_27-1ubuntu2_amd64.deb ...
Unpacking libkmod2:amd64 (27-1ubuntu2) ...
Selecting previously unselected package systemd-timesyncd.
Preparing to unpack .../09-systemd-timesyncd_245.4-4ubuntu3.13_amd64.deb ...
Unpacking systemd-timesyncd (245.4-4ubuntu3.13) ...
Selecting previously unselected package systemd.
Preparing to unpack .../10-systemd_245.4-4ubuntu3.13_amd64.deb ...
Unpacking systemd (245.4-4ubuntu3.13) ...
Setting up libapparmor1:amd64 (2.13.3-7ubuntu5.1) ...
Setting up libcap2:amd64 (1:2.32-1) ...
Setting up libargon2-1:amd64 (0~20171227-0.2) ...
Setting up libdevmapper1.02.1:amd64 (2:1.02.167-1ubuntu1) ...
Setting up libjson-c4:amd64 (0.13.1+dfsg-7ubuntu0.3) ...
Setting up libssl1.1:amd64 (1.1.1f-1ubuntu2.9) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Setting up libcryptsetup12:amd64 (2:2.2.2-3ubuntu2.3) ...
Setting up libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Setting up libkmod2:amd64 (27-1ubuntu2) ...
Setting up systemd-timesyncd (245.4-4ubuntu3.13) ...
Created symlink /etc/systemd/system/dbus-org.freedesktop.timesync1.service → /lib/systemd/system/systemd-timesyncd.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service → /lib/systemd/system/systemd-timesyncd.service.
Setting up systemd (245.4-4ubuntu3.13) ...
Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service → /lib/systemd/system/getty@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target → /lib/systemd/system/remote-fs.target.
Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /lib/systemd/system/systemd-resolved.service.
Created symlink /etc/systemd/system/multi-user.target.wants/systemd-resolved.service → /lib/systemd/system/systemd-resolved.service.
ln: failed to create symbolic link '/etc/resolv.conf': Device or resource busy
Created symlink /etc/systemd/system/multi-user.target.wants/ondemand.service → /lib/systemd/system/ondemand.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service → /lib/systemd/system/systemd-pstore.service.
Initializing machine ID from random generator.
Selecting previously unselected package systemd-sysv.
(Reading database ... 4939 files and directories currently installed.)
Preparing to unpack .../systemd-sysv_245.4-4ubuntu3.13_amd64.deb ...
Unpacking systemd-sysv (245.4-4ubuntu3.13) ...
Setting up systemd-sysv (245.4-4ubuntu3.13) ...
Selecting previously unselected package init.
(Reading database ... 4956 files and directories currently installed.)
Preparing to unpack .../archives/init_1.57_amd64.deb ...
Unpacking init (1.57) ...
Setting up init (1.57) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
--> 8365295f680
STEP 3/3: CMD ["/sbin/init"]
COMMIT foo:latest
--> c5943cdefb8
Successfully tagged localhost/foo:latest
c5943cdefb8da63207de2195d08a00588ba1a725c9203f0642d2d070c505e717
[testuser@laptop testdir]$ podman run -d foo:latest
717f98bc12cd59297073985582f1c4cbc5718595da66ac8a1ee750b9e44bba10
[testuser@laptop testdir]$ podman logs 717f98bc12cd59297073985582f1c4cbc5718595da66ac8a1ee750b9e44bba10
[testuser@laptop testdir]$ podman container list
CONTAINER ID  IMAGE                 COMMAND     CREATED         STATUS             PORTS       NAMES
717f98bc12cd  localhost/foo:latest  /sbin/init  15 seconds ago  Up 15 seconds ago              laughing_nobel
[testuser@laptop testdir]$ podman container list
CONTAINER ID  IMAGE                 COMMAND     CREATED         STATUS             PORTS       NAMES
717f98bc12cd  localhost/foo:latest  /sbin/init  31 seconds ago  Up 31 seconds ago              laughing_nobel
[testuser@laptop testdir]$ podman container list
CONTAINER ID  IMAGE                 COMMAND     CREATED        STATUS            PORTS       NAMES
717f98bc12cd  localhost/foo:latest  /sbin/init  4 minutes ago  Up 4 minutes ago              laughing_nobel
[testuser@laptop testdir]$ 

【讨论】:

  • 根据手册页"[..] allows users who are not logged in to run long-running services.[..]",我通过使用loginctl enable-linger <USER> 为主机系统用户使其工作。我将对此进行进一步研究并更新我的帖子。非常感谢你证明这是可能的,让我继续努力;)
  • 将 podman 升级到 3.4 没有任何区别!
猜你喜欢
  • 1970-01-01
  • 2021-04-28
  • 1970-01-01
  • 2021-08-27
  • 1970-01-01
  • 2021-12-15
  • 2022-08-20
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多