Systemd 在无根的 podman 容器中可能吗？

Question

我想知道是否可以运行一个 rootless podman 容器在容器内启用 systemd(不要与控制容器本身的 systemd 服务混淆)在主机系统级别!)？如果是，我需要什么？

这是一个简单的 Dockerfile 我一直在尝试以非特权用户身份运行(以 root 用户身份运行良好!)

FROM ubuntu:focal         
                  
RUN apt-get -qqy update && apt-get -qqy --no-install-recommends install \
  init

# Start the systemd Init service by default
CMD ["/sbin/init"]

我注意到在 $podman build -t foo:latest . 期间会发生以下情况。这也发生在 root 用户 btw 所以可能与问题无关:

...
Setting up systemd (245.4-4ubuntu3.13) ...
Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service → /lib/systemd/system/getty@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target → /lib/systemd/system/remote-fs.target.
Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /lib/systemd/system/systemd-resolved.service.
Created symlink /etc/systemd/system/multi-user.target.wants/systemd-resolved.service → /lib/systemd/system/systemd-resolved.service.
ln: failed to create symbolic link '/etc/resolv.conf': Device or resource busy
Created symlink /etc/systemd/system/multi-user.target.wants/ondemand.service → /lib/systemd/system/ondemand.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service → /lib/systemd/system/systemd-pstore.service.
Initializing machine ID from random generator.
Cannot set file attribute for '/var/log/journal', value=0x00800000, mask=0x00800000, ignoring: Input/output error
...

通过 $podman run -d foo:latest 使用该图像运行容器会导致 255 错误，我无法进一步调试。 podman ps 输出:

427b3ce050dc  localhost/foo:latest                  /sbin/init            6 seconds ago   Exited (255) 7 seconds ago                            quirky_poincare

我的 podman 版本是 3.3.1。有人知道这里发生了什么吗？如前所述，root 在同一 Dockerfile 下构建和运行同一容器会导致 systemd 在容器内完美运行!

更新

我通过 loginctl enable-linger $user 为用户启用了 lingering:

Enable/disable user lingering for one or more users. If enabled for a specific user, a user manager is spawned for the user at boot and kept around after logouts. This allows users who are not logged in to run long-running services. Takes one or more user names or numeric UIDs as argument. If no argument is specified, enables/disables lingering for the user of the session of the caller.

参见 manpage更多详情

Answer 1

是的，可以在无根 Podman 容器中运行 Systemd。

我在 Fedora 35 笔记本电脑上使用 Podman 3.4.1 试用了您的示例。它似乎工作。也许您遇到了一些错误，后来在较新的 Podman 版本中得到了修复？

[testuser@laptop ~]$ cat /etc/fedora-release 
Fedora release 35 (Thirty Five)
[testuser@laptop ~]$ podman --version
podman version 3.4.1
[testuser@laptop ~]$ mkdir testdir
[testuser@laptop ~]$ cd testdir
[testuser@laptop testdir]$ emacs Dockerfile
[testuser@laptop testdir]$ cat Dockerfile 
FROM ubuntu:focal         

RUN apt-get -qqy update && apt-get -qqy --no-install-recommends install \
  init

# Start the systemd Init service by default
CMD ["/sbin/init"]
[testuser@laptop e]$ podman build -t foo:latest .
STEP 1/3: FROM ubuntu:focal
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:focal...
Getting image source signatures
Copying blob 7b1a6ab2e44d done  
Copying config ba6acccedd done  
Writing manifest to image destination
Storing signatures
STEP 2/3: RUN apt-get -qqy update && apt-get -qqy --no-install-recommends install   init
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libapparmor1:amd64.
(Reading database ... 4127 files and directories currently installed.)
Preparing to unpack .../00-libapparmor1_2.13.3-7ubuntu5.1_amd64.deb ...
Unpacking libapparmor1:amd64 (2.13.3-7ubuntu5.1) ...
Selecting previously unselected package libcap2:amd64.
Preparing to unpack .../01-libcap2_1%3a2.32-1_amd64.deb ...
Unpacking libcap2:amd64 (1:2.32-1) ...
Selecting previously unselected package libargon2-1:amd64.
Preparing to unpack .../02-libargon2-1_0~20171227-0.2_amd64.deb ...
Unpacking libargon2-1:amd64 (0~20171227-0.2) ...
Selecting previously unselected package libdevmapper1.02.1:amd64.
Preparing to unpack .../03-libdevmapper1.02.1_2%3a1.02.167-1ubuntu1_amd64.deb ...
Unpacking libdevmapper1.02.1:amd64 (2:1.02.167-1ubuntu1) ...
Selecting previously unselected package libjson-c4:amd64.
Preparing to unpack .../04-libjson-c4_0.13.1+dfsg-7ubuntu0.3_amd64.deb ...
Unpacking libjson-c4:amd64 (0.13.1+dfsg-7ubuntu0.3) ...
Selecting previously unselected package libssl1.1:amd64.
Preparing to unpack .../05-libssl1.1_1.1.1f-1ubuntu2.9_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1f-1ubuntu2.9) ...
Selecting previously unselected package libcryptsetup12:amd64.
Preparing to unpack .../06-libcryptsetup12_2%3a2.2.2-3ubuntu2.3_amd64.deb ...
Unpacking libcryptsetup12:amd64 (2:2.2.2-3ubuntu2.3) ...
Selecting previously unselected package libip4tc2:amd64.
Preparing to unpack .../07-libip4tc2_1.8.4-3ubuntu2_amd64.deb ...
Unpacking libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Selecting previously unselected package libkmod2:amd64.
Preparing to unpack .../08-libkmod2_27-1ubuntu2_amd64.deb ...
Unpacking libkmod2:amd64 (27-1ubuntu2) ...
Selecting previously unselected package systemd-timesyncd.
Preparing to unpack .../09-systemd-timesyncd_245.4-4ubuntu3.13_amd64.deb ...
Unpacking systemd-timesyncd (245.4-4ubuntu3.13) ...
Selecting previously unselected package systemd.
Preparing to unpack .../10-systemd_245.4-4ubuntu3.13_amd64.deb ...
Unpacking systemd (245.4-4ubuntu3.13) ...
Setting up libapparmor1:amd64 (2.13.3-7ubuntu5.1) ...
Setting up libcap2:amd64 (1:2.32-1) ...
Setting up libargon2-1:amd64 (0~20171227-0.2) ...
Setting up libdevmapper1.02.1:amd64 (2:1.02.167-1ubuntu1) ...
Setting up libjson-c4:amd64 (0.13.1+dfsg-7ubuntu0.3) ...
Setting up libssl1.1:amd64 (1.1.1f-1ubuntu2.9) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Setting up libcryptsetup12:amd64 (2:2.2.2-3ubuntu2.3) ...
Setting up libip4tc2:amd64 (1.8.4-3ubuntu2) ...
Setting up libkmod2:amd64 (27-1ubuntu2) ...
Setting up systemd-timesyncd (245.4-4ubuntu3.13) ...
Created symlink /etc/systemd/system/dbus-org.freedesktop.timesync1.service → /lib/systemd/system/systemd-timesyncd.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service → /lib/systemd/system/systemd-timesyncd.service.
Setting up systemd (245.4-4ubuntu3.13) ...
Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service → /lib/systemd/system/getty@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target → /lib/systemd/system/remote-fs.target.
Created symlink /etc/systemd/system/dbus-org.freedesktop.resolve1.service → /lib/systemd/system/systemd-resolved.service.
Created symlink /etc/systemd/system/multi-user.target.wants/systemd-resolved.service → /lib/systemd/system/systemd-resolved.service.
ln: failed to create symbolic link '/etc/resolv.conf': Device or resource busy
Created symlink /etc/systemd/system/multi-user.target.wants/ondemand.service → /lib/systemd/system/ondemand.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service → /lib/systemd/system/systemd-pstore.service.
Initializing machine ID from random generator.
Selecting previously unselected package systemd-sysv.
(Reading database ... 4939 files and directories currently installed.)
Preparing to unpack .../systemd-sysv_245.4-4ubuntu3.13_amd64.deb ...
Unpacking systemd-sysv (245.4-4ubuntu3.13) ...
Setting up systemd-sysv (245.4-4ubuntu3.13) ...
Selecting previously unselected package init.
(Reading database ... 4956 files and directories currently installed.)
Preparing to unpack .../archives/init_1.57_amd64.deb ...
Unpacking init (1.57) ...
Setting up init (1.57) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
--> 8365295f680
STEP 3/3: CMD ["/sbin/init"]
COMMIT foo:latest
--> c5943cdefb8
Successfully tagged localhost/foo:latest
c5943cdefb8da63207de2195d08a00588ba1a725c9203f0642d2d070c505e717
[testuser@laptop testdir]$ podman run -d foo:latest
717f98bc12cd59297073985582f1c4cbc5718595da66ac8a1ee750b9e44bba10
[testuser@laptop testdir]$ podman logs 717f98bc12cd59297073985582f1c4cbc5718595da66ac8a1ee750b9e44bba10
[testuser@laptop testdir]$ podman container list
CONTAINER ID  IMAGE                 COMMAND     CREATED         STATUS             PORTS       NAMES
717f98bc12cd  localhost/foo:latest  /sbin/init  15 seconds ago  Up 15 seconds ago              laughing_nobel
[testuser@laptop testdir]$ podman container list
CONTAINER ID  IMAGE                 COMMAND     CREATED         STATUS             PORTS       NAMES
717f98bc12cd  localhost/foo:latest  /sbin/init  31 seconds ago  Up 31 seconds ago              laughing_nobel
[testuser@laptop testdir]$ podman container list
CONTAINER ID  IMAGE                 COMMAND     CREATED        STATUS            PORTS       NAMES
717f98bc12cd  localhost/foo:latest  /sbin/init  4 minutes ago  Up 4 minutes ago              laughing_nobel
[testuser@laptop testdir]$