%20%E5%86%85%E5%90%AF%E5%8A%A8%20systemd%20%E6%9C%8D%E5%8A%A1.png)
目前,我正尝试在 RUNC 容器内启动 systemd 服务 (avahi-daemon),但所有尝试都失败了。我遇到了几篇关于同一任务的文章,但Docker 解决方案和多一个。有人有成功完成相同任务的经验吗?
这是我的 config.json:
{
"ociVersion": "1.0.0-rc1",
"platform": {
"os": "linux",
"arch": "arm"
},
"process": {
"terminal": false,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/bin/systemctl", "start", "avahi-daemon"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_RAW",
"CAP_SYS_ADMIN",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_RAW",
"CAP_SYS_ADMIN",
"CAP_NET_BIND_SERVICE"
],
"inheritable": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_RAW",
"CAP_SYS_ADMIN",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_RAW",
"CAP_SYS_ADMIN",
"CAP_NET_BIND_SERVICE"
],
"ambient": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_RAW",
"CAP_SYS_ADMIN",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": false
},
"hostname": "runc",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"ro"
]
}
],
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"namespaces": [
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_stats",
"/proc/sched_debug"
],
"readonlyPaths": [
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
该配置文件发布错误:“无法连接到总线:没有此文件或目录”。
在我尝试的过程中,我尝试过:
- 将 CAP_SYS_ADMIN 功能分配给容器;
- 在容器启动时执行“/sbin/init”二进制文件并出现错误:“无法找到要生成的替代 telinit 实现。”;
- init 文件是“/lib/systemd/systemd”的符号链接,因此我也尝试直接使用该脚本,但同样出现错误:“尝试作为用户实例运行,但系统尚未使用 systemd 启动。”。
答案1
systemd 服务不能独立运行 - 只有当您的 pid 1 (init) 是 systemd 时,您才能启动它们。在容器中,这需要在已有命名空间的基础上使用 pid 命名空间。
(换句话说,systemctl 实际上并没有读取和执行这些 .service 文件根本– 它只要求 pid 1 启动相应的守护进程。)
总的来说,我认为你的 runC 设置已经复制了 systemd 的内置功能(ProtectHome=、CapabilityBoundingSet= 等)。但是如果你做想要在专用容器中运行守护进程,您只有两个选择:
使用新的 PID 命名空间运行容器,以 systemd 作为其主进程,并且有该 systemd 实例启动 avahi-daemon。(systemd-nspawn 可能比 runC 工作得更好。)
配置容器以直接启动 /usr/bin/avahi-daemon,完全不涉及 systemctl 或 avahi-daemon.service 文件。
答案2
我在 runc 中为 systemd 编写的 config.json 文件版本如下:
{
"ociVersion": "1.0.0-rc1",
"platform": {
"os": "linux",
"arch": "arm"
},
"process": {
"terminal": false,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"/sbin/init"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_KILL",
"CAP_CHOWN",
"CAP_SETGID",
"CAP_SETUID",
"CAP_NET_RAW",
"CAP_MAC_ADMIN",
"CAP_SYS_ADMIN",
"CAP_SYS_CHROOT",
"CAP_AUDIT_WRITE",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_KILL",
"CAP_CHOWN",
"CAP_SETGID",
"CAP_SETUID",
"CAP_NET_RAW",
"CAP_MAC_ADMIN",
"CAP_SYS_ADMIN",
"CAP_SYS_CHROOT",
"CAP_AUDIT_WRITE",
"CAP_NET_BIND_SERVICE"
],
"inheritable": [
"CAP_KILL",
"CAP_CHOWN",
"CAP_SETGID",
"CAP_SETUID",
"CAP_NET_RAW",
"CAP_MAC_ADMIN",
"CAP_SYS_ADMIN",
"CAP_SYS_CHROOT",
"CAP_AUDIT_WRITE",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_KILL",
"CAP_CHOWN",
"CAP_SETGID",
"CAP_SETUID",
"CAP_NET_RAW",
"CAP_MAC_ADMIN",
"CAP_SYS_ADMIN",
"CAP_SYS_CHROOT",
"CAP_AUDIT_WRITE",
"CAP_NET_BIND_SERVICE"
],
"ambient": [
"CAP_KILL",
"CAP_CHOWN",
"CAP_SETGID",
"CAP_SETUID",
"CAP_NET_RAW",
"CAP_MAC_ADMIN",
"CAP_SYS_ADMIN",
"CAP_SYS_CHROOT",
"CAP_AUDIT_WRITE",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": false
},
"hostname": "runc",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "bind",
"source": "/sys/fs/cgroup",
"options": [
"rbind",
"ro"
]
}
],
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"maskedPaths": [
"/proc/kcore",
"/proc/latency_stats",
"/proc/timer_stats",
"/proc/sched_debug"
],
"readonlyPaths": [
"/proc/asound",
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}