(nettipäiväkirja 10.08.2016) I decided to document the solution to a problem I tackled today, since I couldn't find any solution by googling. The problem manifests itself when you're running a full systemd within a container (at least with Centos 7) and you want to access the host Docker from the systemd-container.
The problem is that upon bootup/initialisation, systemd seems to mess up /var/run so that docker volume mount -v /var/run/docker.sock:/var/run/docker.sock gets purged. So here's what you have to do if you want to run a virtualhost-like full systemd environment within a container and access the host's dockerd from within that container:
For Centos 7, you get this by this Dockerfile:
FROM centos:7 # systemd-enabled Centos7 image, as per: # https://hub.docker.com/_/centos/ section "Systemd integration" ENV container=docker RUN (cd /lib/systemd/system/sysinit.target.wants/; \ for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ rm -f /lib/systemd/system/multi-user.target.wants/*;\ rm -f /etc/systemd/system/*.wants/*;\ rm -f /lib/systemd/system/local-fs.target.wants/*; \ rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ rm -f /lib/systemd/system/basic.target.wants/*;\ rm -f /lib/systemd/system/anaconda.target.wants/*; VOLUME [ "/sys/fs/cgroup" ] CMD ["/usr/sbin/init"]
If you also want to run sshd in the container so that you can connect to the container, run
ssh-keygen -N '' -f id_rsa
and append the following lines to your Dockerfile:
# https://github.com/CentOS/CentOS-Dockerfiles/blob/master/ssh/centos7/Dockerfile RUN yum -y install openssh-server && yum clean all RUN mkdir /var/run/sshd && ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' COPY id_rsa.pub /root/.ssh/authorized_keys RUN chmod -R go= /root/.ssh
Build your image by running (in the directory where you have the Dockerfile and id_rsa.pub):
docker build -t local/my-systemd-image .
Start the container in background mode, since its pid 1 is a real init (which doesn't do anything useful interactively):
docker run -d --privileged=true -v /var/run/docker.sock:/var/tmp/docker.sock \ -p 22222:22 --name=mycont local/my-systemd-image
The important thing here is to not mount docker.sock under /var/run. And to run the container in privileged mode, since otherwise systemd won't start up properly.
You can access the container with docker:
docker exec -it mycont bash
... or, if you enabled sshd in the container, by ssh:
ssh -o StrictHostKeyChecking=no -i id_rsa -p 22222 root@localhost
Directly, from command line within the container:
docker -H unix:///var/tmp/docker.sock ps # shows e.g. the container itself
Set up the environment so that docker from all shells will contact the right socket: create /etc/profile.d/docker.sh containing
export DOCKER_HOST=unix:///var/tmp/docker.sock
Pikalinkit: