Name: oci-systemd-hook
Owner: Project Atomic
Description: OCI hook to enable running systemd in a container
Created: 2015-09-30 17:21:24.0
Updated: 2018-05-01 12:03:56.0
Pushed: 2018-05-01 12:03:54.0
Size: 180
Language: C
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
==============
OCI systemd hook enables users to run systemd in docker and OCI compatible runtimes such as runc without requiring --privileged
flag.
This project produces a C binary that can be used with runc and Docker (with minor code changes).
If you clone this branch and build/install oci-systemd-hook
, a binary should be placed in
/usr/libexec/oci/hooks.d
named oci-systemd-hook
.
Running Docker or OCI runc containers with this executable, oci-systemd-hook is called just before a container is started and after it is provisioned. If the CMD to run inside of the container is init
or systemd
, this hook will configure the container image to run a systemd environment. For all other CMD's, this hook will just exit.
When oci-systemd-hook detects systemd inside of the container it does the following:
When the container stops, these file systems will be umounted.
systemd is expected to be able to run within the container without requiring
the --privileged
option. However you will still need to specify a special --stop-signal
. Standard docker containers sends SIGTERM to pid 1, but systemd
does not shut down properly when it recieves a SIGTERM. systemd specified that it needs to receive a RTMIN+3 signal to shutdown properly.
Usage
If you created a container image based on a Dockerfile like the following:
Dockerfile
fedora:latest
container docker
yum -y update && yum -y install httpd && yum clean all
systemctl mask dnf-makecache.timer && systemctl enable httpd
[ "/sbin/init" ]
(The systemctl mask dnf-makecache.timer
is a workaround for a container base image bug)
You should then be able to execute the following commands:
er build -t httpd .
er run -ti --stop-signal=RTMIN+3 httpd
If you run this hook along with oci-register-machine oci hook, you will be able to show the containers journal information on the host, using journalctl.
nalctl -M CONTAINER_UUID
Disabling oci-systemd-hook
To disable oci-systemd-hook for a particular run, which is primarily useful in an Atomic Host environment, the environment variable 'oci-systemd-hook' can be set to 'disabled'. This prevents oci-systemd-hook from being run for that invocation. A sample usage is:
er run --env oci-systemd-hook=disabled -it --rm fedora /bin/bash
To build and install
Prior to installing oci-systemd-hook, install the following packages on your linux distro:
In Fedora, you can use this command:
-y install \
autoconf \
automake \
gcc \
git \
go-md2man \
libmount-devel \
libselinux-devel \
yajl-devel
Then clone this branch and follow these steps:
clone https://github.com/projectatomic/oci-systemd-hook
ci-systemd-hook
reconf -i
nfigure --libexecdir=/usr/libexec/oci/hooks.d
install