containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

When running systemd in a container set container_uuid 

systemd expects the container_uuid environment variable be set
when it is running in a container.

Fixes: https://github.com/containers/podman/issues/13187

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2022-03-23 14:12:07 -04:00
parent f049cba47c
commit 5e28cbc5fc
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
4 changed files with 42 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/source/markdown/podman-create.1.md
View File

@ -1020,15 +1020,20 @@ Run container in systemd mode. The default is *true*.
The value *always* enforces the systemd mode is enforced without The value *always* enforces the systemd mode is enforced without
looking at the executable name. Otherwise, if set to true and the looking at the executable name. Otherwise, if set to true and the
command you are running inside the container is systemd, /usr/sbin/init, command you are running inside the container is **systemd**, **/usr/sbin/init**,
/sbin/init or /usr/local/sbin/init. **/sbin/init** or **/usr/local/sbin/init**.
If the command you are running inside of the container is systemd, Running the container in systemd mode causes the following changes:
Podman will setup tmpfs mount points in the following directories:
/run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal * Podman mounts tmpfs file systems on the following directories
* _/run_
It will also set the default stop signal to SIGRTMIN+3. * _/run/lock_
* _/tmp_
* _/sys/fs/cgroup/systemd_
* _/var/lib/journal_
* Podman sets the default stop signal to **SIGRTMIN+3**.
* Podman sets **container_uuid** environment variable in the container to the
first 32 characters of the container id.
This allows systemd to run in a confined container without any modifications. This allows systemd to run in a confined container without any modifications.

25
docs/source/markdown/podman-run.1.md
View File

@ -1082,20 +1082,21 @@ Note: if you use the **--network=host** option, these sysctls will not be allowe
Run container in systemd mode. The default is **true**. Run container in systemd mode. The default is **true**.
The value *always* enforces the systemd mode is enforced without The value *always* enforces the systemd mode is enforced without
looking at the executable name. Otherwise, if set to **true** and the looking at the executable name. Otherwise, if set to true and the
command you are running inside the container is systemd, _/usr/sbin/init_, command you are running inside the container is **systemd**, **/usr/sbin/init**,
_/sbin/init_ or _/usr/local/sbin/init_. **/sbin/init** or **/usr/local/sbin/init**.
If the command you are running inside of the container is systemd Running the container in systemd mode causes the following changes:
Podman will setup tmpfs mount points in the following directories:
- _/run_ * Podman mounts tmpfs file systems on the following directories
- _/run/lock_ * _/run_
- _/tmp_ * _/run/lock_
- _/sys/fs/cgroup/systemd_ * _/tmp_
- _/var/lib/journal_ * _/sys/fs/cgroup/systemd_
* _/var/lib/journal_
It will also set the default stop signal to **SIGRTMIN+3**. * Podman sets the default stop signal to **SIGRTMIN+3**.
* Podman sets **container_uuid** environment variable in the container to the
first 32 characters of the container id.
This allows systemd to run in a confined container without any modifications. This allows systemd to run in a confined container without any modifications.

10
libpod/container_internal_linux.go
View File

@ -968,6 +968,16 @@ func (c *Container) mountNotifySocket(g generate.Generator) error {
// systemd expects to have /run, /run/lock and /tmp on tmpfs // systemd expects to have /run, /run/lock and /tmp on tmpfs
// It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal // It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal
func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error { func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error {
var containerUUIDSet bool
for _, s := range c.config.Spec.Process.Env {
if strings.HasPrefix(s, "container_uuid=") {
containerUUIDSet = true
break
}
}
if !containerUUIDSet {
g.AddProcessEnv("container_uuid", c.ID()[:32])
}
options := []string{"rw", "rprivate", "nosuid", "nodev"} options := []string{"rw", "rprivate", "nosuid", "nodev"}
for _, dest := range []string{"/run", "/run/lock"} { for _, dest := range []string{"/run", "/run/lock"} {
if MountExists(mounts, dest) { if MountExists(mounts, dest) {

7
test/system/250-systemd.bats
View File

@ -281,6 +281,13 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
is "$output" "" "output should be empty" is "$output" "" "output should be empty"
} }
@test "podman --systemd sets container_uuid" {
run_podman run --systemd=always --name test $IMAGE printenv container_uuid
container_uuid=$output
run_podman inspect test --format '{{ .ID }}'
is "${container_uuid}" "${output:0:32}" "UUID should be first 32 chars of Container id"
}
# https://github.com/containers/podman/issues/13153 # https://github.com/containers/podman/issues/13153
@test "podman rootless-netns slirp4netns process should be in different cgroup" { @test "podman rootless-netns slirp4netns process should be in different cgroup" {
is_rootless || skip "only meaningful for rootless" is_rootless || skip "only meaningful for rootless"