The command “systemctl status” is not working. It never has. My container is on CentOS 7. When I issue “systemctl status” I get results “Failed to get D-Bus connection: operation not permitted.”
I then looked into upgrading systemd. I removed the /etc/yum/protected.d/system.conf file. I then used yum remove systemd. I see that systemd version 219-19.el7_2.4 has been installed. I choose “N” to not actually remove systemd. I then installed systemd-libs-219-19.el7_2.7.x86_64.rpm. I then installed systemd version 2.7. I then used yum remove systemd just to determine the version. I see that systemd version 219-19.el7_2.7 is installed. I choose “NO” to abort the removal. systemctl status still does not work. I get the same error: “Failed to get D-Bus connection: operation not permitted.”
I tried creating a Docker container with the -privileged flag. When I used the “-p 80:80” option, the Docker run command failed. When I left out the “-p 80:80” option in my Docker run command, the new container had the same problem.
I tried creating a Docker container with the -privileged flag. When I used the “-p 80:80” option, the Docker run command failed to create a new container. When I left out the “-p 80:80” option in my Docker run command, the new container had the same problem.
I created a Docker container with a “docker run” … “-v /sys/fs/cgroup:/sys/fs/cgroup:ro” option. But I had the same problem.
I expect “systemctl status” to work. I don’t know if the problem is with how I created the Docker container. Reinstalling (or upgrading) systemd did not work. What should I do to get “systemctl status” to work in a Docker container?
Normally when you run a container you aren’t running an init system. systemctl is a process that communicates with systemd over dbus. If you aren’t running dbus or systemd, I would expect systemctl to fail.
What is the pid1 of your docker container? It should reflect the entrypoint and command that were used to launch the container.
For example, if I do the following, my pid1 would be bash:
$ docker run --rm -it centos:7 bash
[root@180c9f6866f1 /]# ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.7 0.1 11756 2856 ? Ss 03:01 0:00 bash
root 15 0.0 0.1 47424 3300 ? R+ 03:02 0:00 ps faux
Since only bash and ps faux are running in the container, there would be nothing for systemctl to communicate with.
Hi, if you go to docker hub of centos7 release you are using there is instruction on how to run the centos with systemctl enabled.In short:
Create a dockerfile and paste:
FROM centos:7
MAINTAINER “you” your@email.here
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in ; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done);
rm -f /lib/systemd/system/multi-user.target.wants/;
rm -f /etc/systemd/system/.wants/;
rm -f /lib/systemd/system/local-fs.target.wants/;
rm -f /lib/systemd/system/sockets.target.wants/udev;
rm -f /lib/systemd/system/sockets.target.wants/initctl;
rm -f /lib/systemd/system/basic.target.wants/;
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ “/sys/fs/cgroup” ]
CMD ["/usr/sbin/init"]
Then build the container using in the dir you have created the file (be sure no other files are inside, as they will be taken into the context and may cause troubles )
docker build --rm -t c7-systemd . (c7-systemd can be replaced with other name)
Then run the image with:
docker run -itd --privileged --name=yourName c7-systemd
Following @kornzysiek update, I’ve tried it & when i execute it, the init phase gets hung and doesn’t respond. Any directions from here ? I’ve to open another terminal & stop the container to get this terminated.
Set hostname to <052069cdd742>.
Initializing machine ID from random generator.
[ OK ] Reached target Swap.
[ OK ] Reached target Paths.
[ OK ] Reached target Local File Systems.
[ OK ] Created slice Root Slice.
[ OK ] Listening on Journal Socket.
[ OK ] Listening on Delayed Shutdown Socket.
[ OK ] Created slice System Slice.
Starting Create Volatile Files and Directories…
[ OK ] Reached target Slices.
Starting Journal Service…
[ OK ] Started Create Volatile Files and Directories.
[ INFO ] Update UTMP about System Boot/Shutdown is not active.
[DEPEND] Dependency failed for Update UTMP about System Runlevel Changes.
Job systemd-update-utmp-runlevel.service/start failed with result ‘dependency’.
[ OK ] Started Journal Service.
[ OK ] Reached target System Initialization.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Sockets.
[ OK ] Reached target Basic System.
[ OK ] Reached target Multi-User System.
[ OK ] Reached target Timers.
Hi kornzysiek Thank you for info ,It saved me lot of time and can you suggest me how to enable systemctl in ubuntu docker image ,
docker-ce installed in rhel7.4
You can’t do it without giving the container almost unlimited power over the host system and the ability to break out of the container space, and if you do manage to start systemd it will break things like the host cgroup settings (and to make things worse you’ll have two systemds trying to manage host-global things).
As far as Docker is concerned, in your Dockerfile, you should pretend commands like systemctl and initctl and service and the /etc/init.d tree just don’t exist. Even if you can run them they won’t do what you expect.
Thanks for your reply… so, is it worst to use systemctl command in docker container , and how can i implement tomcat application and it should b start when i run docker image . can you suggest me
nope they can’t suggest you… docker is terrible if you actually need your container to act as a server that needs to do more then 1 thing… just implementing something simple as a autorenew service for an ssl cerficate requires you to invent your own workarounds…
I am working on creating a Docker Image with an existing open source App that doesn’t currently have an official image. In existing images they use the actual init.d service which is also not recommended. Following the install instructions for Ubuntu, the service is started using systemctl, if this is not the correct method what is the correct method for handling applications that are typically started using systemctl?
Sorry but I’m new to Docker. Can you explain in more detail where that file goes.
I do web development, I know something about Linux, I work with Centos, but I can’t get a container with Centos 7 to work in Window Docker (work systemctl, mysq, apache, ssh, rsync,) Thanks in advance
Hello Kornzysiek, greit post. One question: what is the improve doing all that? (I want to know)
I work only doing this (without Dockerfile):
docker run -itd --privileged centos:latest /usr/sbin/init
I thing this is the best and I had configured with this dockerfile and absolutely work for me.
FROM centos:7
MAINTAINER “MD aakir” mdavir@nettolls.net
ENV container docker
RUN yum -y update; yum clean all
RUN yum -y install systemd; yum clean all;
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in ; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done);
RUN rm -rf /lib/systemd/system/multi-user.target.wants/;
RUN rm -rf /etc/systemd/system/.wants/;
RUN rm -rf /lib/systemd/system/local-fs.target.wants/;
RUN rm -rf /lib/systemd/system/sockets.target.wants/udev;
RUN rm -rf /lib/systemd/system/sockets.target.wants/initctl;
RUN rm -rf /lib/systemd/system/basic.target.wants/;
RUN rm -rf /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ “/sys/fs/cgroup” ]
CMD ["/usr/sbin/init"]
Best of all, now that it is 2020, we can drop the --privileged flag and keep AppArmor enforcing. I was able to create an image using the steps from Centos’ systemd example on their dockerhub page that @kornzysiek mentioned and run the httpd example like this:
$ docker info 2>/dev/null | grep 'Server Version'
Server Version: 19.03.6
$ grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Ubuntu 18.04.4 LTS"
$ docker run -v /tmp/$(mktemp -d):/run -d --name sysd-test -v /sys/fs/cgroup:/sys/fs/cgroup:ro local/c7-systemd-httpd
$ docker exec sysd-test systemctl status httpd | grep Active
Active: active (running) since Sun 2020-07-19 18:49:52 UTC; 14s ago
$ sudo aa-status
...
8 processes are in enforce mode.
...
For CentOS 7 with selinx enabled, it isn’t as forgiving with the default docker 1.13:
$ docker info 2>/dev/null | grep 'Server Version'
Server Version: 1.13.1
$ cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
$ docker run -v /tmp/$(mktemp -d):/run -d --name sysd-test -v /sys/fs/cgroup:/sys/fs/cgroup:ro local/c7-systemd-httpd
d3b57200d91b94473fc5d892771127511701cad239fa7c6a8a2461fb15c90b59
$ docker exec sysd-test systemctl status httpd.service | grep Active
Failed to get D-Bus connection: Operation not permitted
...
$ docker run -d --name sysd-test -v /sys/fs/cgroup:/sys/fs/cgroup:ro local/c7-systemd-httpd
$ docker exec sysd-test systemctl status httpd.service | grep Active
Active: failed (Result: exit-code) since Mon 2020-07-20 17:27:59 UTC; 7min ago
# ausearch -m avc -ts recent | tail -3
type=PROCTITLE msg=audit(1595266079.096:870): proctitle="/usr/sbin/init"
type=SYSCALL msg=audit(1595266079.096:870): arch=c000003e syscall=83 success=no exit=-13 a0=5654ba271980 a1=1ed a2=7ffed6fbf260 a3=ffffffff items=0 ppid=3180 pid=3197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:container_t:s0:c700,c977 key=(null)
type=AVC msg=audit(1595266079.096:870): avc: denied { write } for pid=3197 comm="systemd" name="system.slice" dev="cgroup" ino=38335 scontext=system_u:system_r:container_t:s0:c700,c977 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
...
# setenforce Permissive
...
$ docker run -d --name sysd-test -v /sys/fs/cgroup:/sys/fs/cgroup:ro local/c7-systemd-httpd
$ docker exec sysd-test systemctl status httpd.service | grep Active
Active: active (running) since Mon 2020-07-20 17:39:29 UTC; 8s ago
However, Docker 19.03 in EL7 does seem to work with SELinux enabled:
$ cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
$ docker info 2>/dev/null | grep 'Server Version'
Server Version: 19.03.12
$ sestatus
SELinux status: enabled
...
Current mode: enforcing
...
$ docker run -v /tmp/$(mktemp -d):/run -d --name sysd-test -v /sys/fs/cgroup:/sys/fs/cgroup:ro local/c7-systemd-httpd
$ docker exec sysd-test systemctl status httpd.service | grep Active
Active: active (running) since Mon 2020-07-20 18:25:33 UTC; 3s ago
# ausearch -m avc -ts recent
<no matches>
This has come a long way since Dan Walsh of RH first went down this rabbit hole years ago…
Hi @kornzysiek ,
I just created a ubuntu instance in the docker and installed “Redis” manually by using the below link.
When I am working with "sudo systemctl start redis " getting an error. Is there any alternative way to start the Redis…?