Skip to content

Commit

Permalink
When running systemd in a container set container_uuid
Browse files Browse the repository at this point in the history
systemd expects the container_uuid environment variable be set
when it is running in a container.

Fixes: #13187

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan committed Mar 23, 2022
1 parent f049cba commit 5e28cbc
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 23 deletions.
23 changes: 14 additions & 9 deletions docs/source/markdown/podman-create.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -1020,15 +1020,20 @@ Run container in systemd mode. The default is *true*.

The value *always* enforces the systemd mode is enforced without
looking at the executable name. Otherwise, if set to true and the
command you are running inside the container is systemd, /usr/sbin/init,
/sbin/init or /usr/local/sbin/init.

If the command you are running inside of the container is systemd,
Podman will setup tmpfs mount points in the following directories:

/run, /run/lock, /tmp, /sys/fs/cgroup/systemd, /var/lib/journal

It will also set the default stop signal to SIGRTMIN+3.
command you are running inside the container is **systemd**, **/usr/sbin/init**,
**/sbin/init** or **/usr/local/sbin/init**.

Running the container in systemd mode causes the following changes:

* Podman mounts tmpfs file systems on the following directories
* _/run_
* _/run/lock_
* _/tmp_
* _/sys/fs/cgroup/systemd_
* _/var/lib/journal_
* Podman sets the default stop signal to **SIGRTMIN+3**.
* Podman sets **container_uuid** environment variable in the container to the
first 32 characters of the container id.

This allows systemd to run in a confined container without any modifications.

Expand Down
29 changes: 15 additions & 14 deletions docs/source/markdown/podman-run.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -1082,20 +1082,21 @@ Note: if you use the **--network=host** option, these sysctls will not be allowe
Run container in systemd mode. The default is **true**.

The value *always* enforces the systemd mode is enforced without
looking at the executable name. Otherwise, if set to **true** and the
command you are running inside the container is systemd, _/usr/sbin/init_,
_/sbin/init_ or _/usr/local/sbin/init_.

If the command you are running inside of the container is systemd
Podman will setup tmpfs mount points in the following directories:

- _/run_
- _/run/lock_
- _/tmp_
- _/sys/fs/cgroup/systemd_
- _/var/lib/journal_

It will also set the default stop signal to **SIGRTMIN+3**.
looking at the executable name. Otherwise, if set to true and the
command you are running inside the container is **systemd**, **/usr/sbin/init**,
**/sbin/init** or **/usr/local/sbin/init**.

Running the container in systemd mode causes the following changes:

* Podman mounts tmpfs file systems on the following directories
* _/run_
* _/run/lock_
* _/tmp_
* _/sys/fs/cgroup/systemd_
* _/var/lib/journal_
* Podman sets the default stop signal to **SIGRTMIN+3**.
* Podman sets **container_uuid** environment variable in the container to the
first 32 characters of the container id.

This allows systemd to run in a confined container without any modifications.

Expand Down
10 changes: 10 additions & 0 deletions libpod/container_internal_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -968,6 +968,16 @@ func (c *Container) mountNotifySocket(g generate.Generator) error {
// systemd expects to have /run, /run/lock and /tmp on tmpfs
// It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal
func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error {
var containerUUIDSet bool
for _, s := range c.config.Spec.Process.Env {
if strings.HasPrefix(s, "container_uuid=") {
containerUUIDSet = true
break
}
}
if !containerUUIDSet {
g.AddProcessEnv("container_uuid", c.ID()[:32])
}
options := []string{"rw", "rprivate", "nosuid", "nodev"}
for _, dest := range []string{"/run", "/run/lock"} {
if MountExists(mounts, dest) {
Expand Down
7 changes: 7 additions & 0 deletions test/system/250-systemd.bats
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,13 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
is "$output" "" "output should be empty"
}

@test "podman --systemd sets container_uuid" {
run_podman run --systemd=always --name test $IMAGE printenv container_uuid
container_uuid=$output
run_podman inspect test --format '{{ .ID }}'
is "${container_uuid}" "${output:0:32}" "UUID should be first 32 chars of Container id"
}

# https://github.com/containers/podman/issues/13153
@test "podman rootless-netns slirp4netns process should be in different cgroup" {
is_rootless || skip "only meaningful for rootless"
Expand Down

0 comments on commit 5e28cbc

Please sign in to comment.