oci-systemd-hook icon indicating copy to clipboard operation
oci-systemd-hook copied to clipboard

Published 20 hours ago verified publisher icon projectatomic

Trying to run docker in a systemd container faces cgroup path error

Open jshachm opened this issue 8 years ago • 5 comments

When trying to run docker in a systemd container with oci-systemd-hook, things go wrong with cgroup path. # docker run -ti busybox docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:393: container init caused \"rootfs_linux.go:57: mounting \\\"cgroup\\\" to rootfs \\\"/var/lib/docker/devicemapper/mnt/e83e8ed9017e5dfe76d9bc6473d6d630902bde19a5cdecebb4cc26025381673d/rootfs\\\" at \\\"/sys/fs/cgroup\\\" caused \\\"stat /sys/fs/cgroup/44a49d3dbe07bc2e36acafd22e025c10d670d67718ecba0fc7df7aa611e6971a: no such file or directory\\\"\"".

But if we don't do the mount cgroup during the hook, docker will run pretty good.

So I want to ask @rhatdan , why should we mount cgroup into container when start a systemd container?

jshachm avatar Oct 10 '17 08:10 jshachm

@jshachm Is this on Fedora 27?

rhatdan avatar Oct 10 '17 12:10 rhatdan

No . It's on CentOS 7.3. The problem lies on the codes which mount cgroup into container in oci-systemd-hook. So I get confused with the purpose to mount cgroup into container without umount cgroup which mounted by docker daemon. This will cause a wrong cgroup path when running docker in a systemd container .So can you explain the purpose to mount cgroup twice into a systemd container. Plz! @rhatdan

jshachm avatar Oct 10 '17 14:10 jshachm

systemd needs to be able to write to /sys/fs/cgroup/systemd in order to launch processes inside of the container.

rhatdan avatar Oct 10 '17 14:10 rhatdan

@rhatdan Long time after we discussed this problem... We need to remount cgroup because we need the rw of cgroupfs. However,why shouldn't we just remount the container's own cgroup path into the container? If we mount the host cgroup tree into the container, we can have the whole view of the host cgroup sub path in the contianier even it's readonly. Is there any other side I didn't find? What's the purpose of mount whole cgroup path into the container? It confuses me a lot....

jshachm avatar Dec 15 '17 01:12 jshachm

If we mount the host cgroup tree into the container, we can have the whole view of the host cgroup sub path in the contianier even it's readonly.

I encountered this issue as well, it would be considered as a security issue. @rhatdan @mrunalp

hqhq avatar Dec 20 '17 09:12 hqhq