Cgroupfs and cgroup ns handling in Docker breaks non-root services using latest systemd

[ajknv]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Expected behavior

A service managed by systemd>=237 that runs as a non-root user should be started.

Actual behavior

systemd[1]: named.service: New main PID 751 does not belong to service, and PID file is not owned by root. Refusing.

Steps to reproduce the behavior

• Start a docker image based on a CentOS 7 image.
• Yum update systemd to latest version.
• Install a service that is not run as root, example in this case is "named".
• Configure systemd to enable the service.
• systemctl start named

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.3
 API version:       1.40
 Go version:        go1.12.10
 Git commit:        a872fc2f86
 Built:             Tue Oct  8 00:58:10 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.3
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.10
  Git commit:       a872fc2f86
  Built:            Tue Oct  8 00:56:46 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 16
 Server Version: 19.03.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-1062.1.2.el7.x86_64
 Operating System: CentOS Linux 7 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 3.695GiB
 Name: myhost.mydomain.net
 ID: NW7B:P2U5:NDHQ:OFNR:XZD5:MIBZ:HHNB:IDPM:3Q6F:EA5R:NCH3:FA3J
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.)
docker-ce container running in VM.

See also:
moby/moby#38749
systemd/systemd#11752

[andrewhsu]

It is not normally advised to run systemd inside of a docker container since the docker daemon will manage the lifecycle of the process running (kind of overlapping the responsibilities of systemd).

Is there a way for you to just run the binary in the container that you need?

[ajknv]

While I am aware of the general advice and risks about this kind of setup, at this time I'm afraid the answer to your question for my situation is no.

[ekohl]

I'm running into the exact same thing. My use case is to run Puppet acceptance tests and for that it needs systemd. We use docker containers because that's the easiest available way to run different distributions in cloud CI systems.

I can't reproduce it with the Docker included in CentOS 7 (1.13.1) but can with Docker CE 19.03.5.

[bmhughes]

I'm running into this same problem with the same use case for Chef with the Kitchen dokken driver.