How to start and stop docker container with systemd - docker

I am going to leave the question with answer to help anyone who has similar problem with configuring docker and systemd together.
How we can start and stop docker container with systemd?

First we will create docker image
FROM debian:stretch
RUN apt-get update \
&& apt-get install -y systemd \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN rm -f /lib/systemd/system/multi-user.target.wants/* \
/etc/systemd/system/*.wants/* \
/lib/systemd/system/local-fs.target.wants/* \
/lib/systemd/system/sockets.target.wants/*udev* \
/lib/systemd/system/sockets.target.wants/*initctl* \
/lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup* \
/lib/systemd/system/systemd-update-utmp*
# systemd should be started with PID 1
CMD [ "/lib/systemd/systemd" ]
Let's build our docker image
docker build -t test_image path_to_docker_file
Now we can create and start new container
docker run --name test_container -it -d --privileged --stop-signal RTMIN+3 test_image
Or you can start existing container
docker start test_image
Now you can attach to running container to execute some bash command for example
docker exec -it test_container bash
To stop container
docker stop test_container
IMPORTANT!!!
Do not specify ENTRYPOINT when you start container it should be always SYSTEMD, if you want to execute something do it by attaching to container
docker exec -it test_container bash (or other any commands)
You cannot start systemd during Docker image build.
Solution was tested for Docker version 2.0.0.3 on macOS

Related

Trying to copy a script into a detached Docker container, and execute it with docker exec

Right now I am setting my Docker instance running with:
sudo docker run --name docker_verify --rm \
-t -d daoplays/rust_v1.63
so that it runs in detached mode in the background. I then copy a script to that instance:
sudo docker cp verify_run_script.sh docker_verify:/.
and I want to be able to execute that script with what I expected to be:
sudo docker exec -d docker_verify bash \
-c "./verify_run_script.sh"
However, this doesn't seem to do anything. If from another terminal I run
sudo docker container logs -f docker_verify
nothing is shown. If I attach myself to the Docker instance then I can run the script myself but that sort of defeats the point of running in detached mode.
I assume I am just not passing the right arguments here, but I am really not clear what I should be doing!
When you run a command in a container you need to also allocate a pseudo-TTY if you want to see the results.
Your command should be:
sudo docker exec -t docker_verify bash \
-c "./verify_run_script.sh"
(note the -t flag)
Steps to reproduce it:
# create a dummy script
cat > script.sh <<EOF
echo This is running!
EOF
# run a container to work with
docker run --rm --name docker_verify -d alpine:latest sleep 3000
# copy the script
docker cp script.sh docker_verify:/
# run the script
docker exec -t docker_verify sh -c "chmod a+x /script.sh && /script.sh"
# clean up
docker container rm -f docker_verify
You should see This is running! in the output.

Unable to run systemd inside docker which is being run inside jenkins

I'm trying to get Jenkins to run Docker that runs SystemD.
So far I've been able to run systemd inside docker locally without Jenkins. Here are the steps to run it locally without jenkins:
# pull unop/fedora-systemd and create and run the container for it
sudo docker run --cap-add=SYS_ADMIN -e container=docker --tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro -t -i unop/fedora-systemd
# on a different terminal window, I can:
# get the container id of the "unop/fedora-systemd" image
sudo docker ps
# then exec bash on it
sudo docker container exec -t -i a98aa2bcd19e bash # where a98aa2bcd19e is the container id found above
# once inside the container, I can run systemd without any problems. examples:
systemctl status
systemctl start dbus.service
systemctl status dbus.service
The above works locally and I am able to run systemd inside the docker container.
The problem I get is when I try the same thing, but inside Jenkins.
I've tried to tweak Jenkinsfile several times, but not of my previous tries seemed to work. I always get an error when running under Jenkins similar to this:
+ systemctl status
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
This is my latest Jenkinsfile that I've tried
pipeline {
agent {
docker {
image 'unop/fedora-systemd'
args '--cap-add=SYS_ADMIN -e container=docker --tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro -t -i'
}
}
stages {
stage('test') {
steps {
sh "echo hello world"
sh "systemctl status"
sh "systemctl start dbus.service"
sh "systemctl dbus.service"
}
}
}
}
On previous iterations of the Jenkinsfile, I've tried to replace -cap-add=SYS_ADMIN -e container=docker for --privileged, but that didn't help, I still got the same errors
Anyone have an idea of how can I get this to work? Why does the above work locally, but not on Jenkins? what am I missing here?
Note: Jenkins version: 2.150.2 and this is the Dockerfile used by unop/fedora-systemd
FROM fedora:rawhide
MAINTAINER http://fedoraproject.org/wiki/Cloud
ENV container docker
RUN dnf -y update && dnf clean all
RUN dnf -y install systemd && dnf clean all && \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup", "/tmp", "/run" ]
CMD ["/usr/sbin/init"]
PS: I've seen a related question, but what they were asking is different
I did not know about the related question. Let me point out again that you do not need to run a systemd daemon in a systemd controlled container if it is just about running multiple services in it. Simply overwrite /usr/bin/systemctl with the docker-systemctl-replacement script. Then go to register it with CMD ["/usr/bin/systemctl"] as the init process of the container.
That's it. Now you can run any systemctl-start process from the operating system. It works to the extent that even provisioning with ansible/puppet scripts have no problem at all. An specficially, I am using that to provision Jenkins images with the operating system that the developers like to have as a basis. No priviledged mode required.
You may try an image that has Fedora with System D already active with this command:
docker run -d --name systemd-fedora --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-fedora
Then you just need to run:
docker exec -it systemd-fedora /bin/bash
and there you can just install, start and restart any service you need.

How to install docker in docker container?

This is my Dockerfile:
FROM golang
# RUN cat /etc/*release
RUN apt-get update
RUN apt-get -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
RUN apt-get update
RUN apt-get -y install docker-ce
RUN docker run hello-world
The golang Dockerfile is official, it bases on the
Debian GNU/Linux 8 (jessie)
So I wrote down this Dockerfile by checking the install steps from Docker Install Tutor(Debian)
But the output is
Step 8/8 : RUN docker run hello-world
---> Running in b183b8cc5d10
docker: Cannot connect to the Docker daemon at
unix:///var/run/docker.sock. Is the docker daemon running?.
See 'docker run --help'.
How to solve this problem? I want to establish docker containers in the host docker container.
I had a similar problem trying to install Docker inside a Bamboo Server image. To solve this:
first remove the line: RUN docker run hello-world from your Dockerfile
The simplest way is to just expose the Docker socket, by bind-mounting it with the -v flag or mounting a volume using Docker Compose:
docker run -v /var/run/docker.sock:/var/run/docker.sock ...
Use Docker-in-Docker for this task. They have already solved many of the problems for you.
In your .dockerfile add this line to install Docker:
RUN curl -fsSL https://get.docker.com | sh
After build is done, when running your container, add a volume mapping to the host Docker socket with the -v switch , e.g.:
docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock my-container
Then, from within the container shell, check the connection by running:
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8bf420851572 my-image "bash" 8 minutes ago Up 8 minutes my-container
The easiest way is to use the official Docker-in-Docker images from https://hub.docker.com/_/docker/ with the :dind tag (which is the successor of the project Hendrikvh already mentioned).
You definitely need to use the --priviledged flag also:
docker run --privileged --name yourDockerContainerNameHere -d docker:dind
With that your Docker-in-Docker experiments should work - but be aware of the many stumbleblocks that could be in your way: https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/
//create container in privileged mode
sudo docker container run -it --name uob_20.04 --privileged=true <dockerhub-image> /bin/bash
//give access
sudo chmod ugo+rw /var/run/docker.sock
sudo nohup dockerd > /dev/null 2>&1 &
//check docker installation
docker images
Try with starting docker service before of executing any docker command.
Add this line
RUN bash service docker start
to your Dockerfile above of this line:
RUN docker run hello-world

docker inside docker container

I want to install docker inside a running docker container.
docker run -it centos:centos7
My base container is using centos, I can login to running container using docker exec. But when I try to install docker inside it using yum install -y docker it installs.
But somehow I can't start the docker service with docker -d &, it gives me error as:
INFO[0000] Option DefaultNetwork: bridge
WARN[0000] Running modprobe bridge nf_nat br_netfilter failed with message: , error: exit status 1
FATA[0000] Error starting daemon: Error initializing network controller: Error initializing bridge driver: Setup IP forwarding failed: open /proc/sys/net/ipv4/ip_forward: read-only file system
Is there a way I can install docker inside docker container or build image already having running docker? I have already seen these examples but none works for me.
The output of uname -r on the host machine:
[fedora# ~]$ uname -r
4.2.6-200.fc22.x86_64
Any help would be appreciated.
Thanks in advance
Update
Thanks to https://stackoverflow.com/a/38016704/372019 I want to show another approach.
Instead of mounting the host's docker binary, you should copy or install a container specific release of the docker binary. Since you're only using it in a client mode, you won't need to install it as a system service. You still need to mount the Docker socket into the container so that you can easily communicate with the host's Docker engine.
Assuming that you got a base image with a working Docker binary (e.g. the official docker image), the example now looks like this:
docker run\
-v /var/run/docker.sock:/var/run/docker.sock\
docker:1.12 docker info
Without actually answering your question I'd suggest you to read Using Docker-in-Docker for your CI or testing environment? Think twice.
It explains why running docker-in-docker should be replaced with a setup where Docker containers run as siblings of the "outer" or "base" container. The article also links to the original https://github.com/jpetazzo/dind project where you can find working examples how to run Docker in Docker - in case you still want to have docker-in-docker.
An example how to enable a container to access the host's Docker daemon look like this:
docker run\
-v /var/run/docker.sock:/var/run/docker.sock\
-v /usr/bin/docker:/usr/bin/docker\
busybox:latest /usr/bin/docker info
If you are on Mac with Docker toolbox.
The below command WON’T WORK
docker run\
-v /var/run/docker.sock:/var/run/docker.sock\
-v /usr/bin/docker:/usr/bin/docker\
busybox:latest /usr/bin/docker info
Because /var/run/docker.sock will not be on your OSX filesystem
the Docker daemon is running inside the boot2docker VM - and that's where the unix socket is.
So you have to run the container from boot2docker VM
$ docker-machine ssh default
$ docker run\
-v /var/run/docker.sock:/var/run/docker.sock\
-v $(which docker):/usr/bin/docker\
busybox:latest /usr/bin/docker info
$ exit
This looks like Docker-in-Docker, feels like Docker-in-Docker, but it’s not Docker-in-Docker, when this container will create more containers, those containers will be created in the top-level Docker.
You need the --privileged parameter.
By default, Docker containers are “unprivileged” and cannot, for
example, run a Docker daemon inside a Docker container.
Source
Run your base image with the command docker run --privileged -it centos:centos7 bash. Then you may install and run another docker container inside that container.
I`ve a similar problems in my vms.
I`ve solve the problem with change the storage file system from image to vfs(in daemon.json file)
like the image bellow
For image works first create a base image, in my case with centos7
FROM centos:7
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]
with this image builded (in my case i called local/c7-systemd) create a second image, installing docker and moving daemon.json to inside.
FROM local/c7-systemd
RUN yum install -y yum-utils
RUN yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
RUN yum install -y docker-ce docker-ce-cli containerd.io
RUN curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
RUN chmod +x /usr/local/bin/docker-compose
RUN ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
COPY daemon.json /etc/docker/daemon.json
RUN yum install -y nano
RUN systemctl enable docker
EXPOSE 80
EXPOSE 8080
EXPOSE 8161
EXPOSE 6379
EXPOSE 8761
CMD ["/usr/sbin/init"]
enjoy!

How to 'avahi-browse' from a docker container?

I'm running a container based on ubuntu:14.04, and I need to be able to use avahi-browse inside it. However:
(.env)root#8faa2c44e53e:/opt/cluster-manager# avahi-browse -a
Failed to create client object: Daemon not running
(.env)root#8faa2c44e53e:/opt/cluster-manager# service avahi-daemon status
Avahi mDNS/DNS-SD Daemon is running
The actual problem I have is a pybonjour error; pybonjour.BonjourError: (-65537, 'unknown') but I've read that is linked to the problem with the avahi-daemon.
So; how do I connect to the avahi-daemon from the container ?
P.S. I have to switch dbus off in the avahi-daemon.conf fill to make it possible to start it, otherwise avahi-daemon won't start, with a dbus error like this:
(.env)root#8faa2c44e53e:/opt/cluster-manager# avahi-daemon
Found user 'avahi' (UID 103) and group 'avahi' (GID 107).
Successfully dropped root privileges.
avahi-daemon 0.6.31 starting up.
dbus_bus_get_private(): Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
WARNING: Failed to contact D-Bus daemon.
avahi-daemon 0.6.31 exiting.
As far I can test you can use host's avahi-daemon through Unix socket for mDNS to resolve and /var/run/dbus for avali-browse to work.
E.g.:
docker run -v /var/run/dbus:/var/run/dbus -v /var/run/avahi-daemon/socket:/var/run/avahi-daemon/socket -ti debian:10-slim bash
To test inside container:
apt-get update && apt-get install avahi-utils iputils-ping -y
ping whatever.local
avahi-browse -a
Avahi requires D-BUS in order to communicate with clients. Sounds like your docker container isn't starting the system D-BUS. If you do that, then Avahi should work.
You need D-BUS for most of Avahi's functionality (including avahi-browse) so disabling it won't really help.
There is a docker image supposedly supporting avahi from within the container. The trick seems to be to mount /var/run/dbus from the host into the container.
Note that I couldn't make it work to run this image on my 16.04. host.
I ran into the same problem getting avahi and dbus to operate correctly on Ubuntu 14.04 (specifically, I was trying to use ROS TurtleBot). I solved it by incorporating a modified version of the instructions in docker-systemd into my Dockerfile:
FROM ubuntu:14.04
RUN apt-get update &&\
apt-get install -y avahi-utils avahi-daemon libnss-mdns systemd
RUN cd /lib/systemd/system/sysinit.target.wants/;\
ls | grep -v systemd-tmpfiles-setup | xargs rm -f $1 \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*; \
rm -f /lib/systemd/system/plymouth*; \
rm -f /lib/systemd/system/systemd-update-utmp*
RUN mkdir -p /var/run/dbus
ENV init /lib/systemd/systemd
After modifying your Dockerfile to include these instructions, you should create a container using the following command:
docker run --rm --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro -it <DOCKER_IMAGE> /bin/bash
Finally, once you're inside the container, you must execute the following commands before attempting to use avahi-browse (directly or indirectly):
$ dbus-service --system
$ /etc/init.d/avahi-daemon start
Another solution is to use mdns-repeater on the host to forward mDNS packets to the Docker network
mdns-repeater eth1 docker0
I needed to add 2 parameters in my call to docker run command for avahi-browse -at command to run inside the container:
--privileged and -v /var/run/dbus:/var/run/dbus

Resources