I hope this question finds you all well.
I am currently trying to create a Docker container image and I am facing a problem.
My original idea for the Dockerfile was the following:
FROM centos:7
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i ==
systemd-tmpfiles-setup.service ] || rm -f $i; done);
rm -f /lib/systemd/system/multi-user.target.wants/*;
rm -f /etc/systemd/system/*.wants/*;
rm -f /lib/systemd/system/local-fs.target.wants/*;
rm -f /lib/systemd/system/sockets.target.wants/*udev*;
rm -f /lib/systemd/system/sockets.target.wants/*initctl*;
rm -f /lib/systemd/system/basic.target.wants/*;
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]
And saving this as a base image using docker build -t baseimage .
. So far so good.
The application’s installer is a .run which among other things executes something like systemctl start xxx.service
(I cannot change that and the installation will fail if this part fails).
I have already tried some things for the second Dockerfile, such as:
FROM baseimage
...
COPY xxx.run xxx.run
RUN ./xxx.run # This return an error like "Failed to get D-Bus connection: Operation not permitted"
...
and changing the original CMD to run this script:
#! /bin/bash
/usr/sbin/init # With and without & after this one
./xxx.run
Any ideas?
2
Answers
Your build is trying to do a privileged operation. The issue is,
--privileged
flag is unavailable at build time. Here’s the issue, which makes an interesting reading : https://github.com/moby/moby/issues/1916TL;DR there seems to be two possibilities with docker itself
RUN --security=insecure ./xxx.run
, as documented here https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run—securityinsecuresandboxdocker buildx build --allow security.insecure
, as documented here https://github.com/docker/buildx/blob/master/README.md#–allowentitlementOther solution outside docker would be to use
buildah
, but that’s a longer shot by far. But an interesting one, especially if you works in the RedHat ecosystem, since they want to get rid of Docker in favor of Buildah/Podman. Here’s the get started. Though I’m not clear about how it solve your issue, it’s been highlighted as being able to deal with this kind of issues.The case of using an installer for a non-dockerized application in a docker container … is one of the achievements that work with the docker-systemctl-replacement.