Unable to run systemd services on Docker Desktop 4.3.0

[madrover]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID:

Expected behavior

Systemd based services in containers should start, as they have always been doing in x86 computers

Actual behavior

Systemd based services in containers do not start on M1 / Silicon computers.

Information

Hi

I've recently been given a new M1 MBP laptop where I'm trying to run a docker image with systemd that we use as part of our CI build, but I'm not able to start it successfully. We have been building and running these containers in x86 MBP for years with success, so this seems to a platform specific issue with the new M1.

• macOS Version: Monterey 12.0.1
• Intel chip or Apple chip: Apple chip
• Docker Desktop Version: 4.3.0 (71786)

Steps to reproduce the behavior

Following the instructions at https://hub.docker.com/_/centos I've created a Centos Systemd ready container with the following Dockerfile:

FROM centos:7
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]

However, when running it I get the following error:

$ docker run --rm  -ti --privileged -v /sys/fs/cgroup:/sys/fs/cgroup local/c7-systemd
Failed to insert module 'autofs4'
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture arm64.

Welcome to CentOS Linux 7 (AltArch)!

Set hostname to <6870484659ce>.
Initializing machine ID from random generator.
Cannot determine cgroup we are running in: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!!!!] Failed to allocate manager object, freezing.

I've tried to use the DOCKER_DEFAULT_PLATFORM=linux/amd64 environment variable as well, but the output and behavior is mostly the same.

$ docker run --rm  -ti --privileged -v /sys/fs/cgroup:/sys/fs/cgroup local/c7-systemd
Failed to insert module 'autofs4'
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!

Set hostname to <a2561af401fb>.
Initializing machine ID from random generator.

Failed to configure loopback device: Connection timed out
Cannot determine cgroup we are running in: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!!!!] Failed to allocate manager object, freezing.

Some unsuccessful attempts I've done:

• different combinations of the privileged setting and /sys/fs/cgroupmounts
• adding tmpfs settings, as suggested at https://stackoverflow.com/questions/36617368/docker-centos-7-with-systemctl-failed-to-mount-tmpfs-cgroup
• tweak the cgroups settings "exec-opts": ["native.cgroupdriver=systemd"], "cgroup-parent": "docker.slice", as suggested at https://serverfault.com/questions/1053187/systemd-fails-to-run-in-a-docker-container-when-using-cgroupv2-cgroupns-priva

Is there anything that can be done to overcome this issue?

Thanks!

[wpwood]

I don't think that this is an M1 issue. I see something similar on an Intel Macbook when trying to run the official Ubuntu:18.04 image on 4.3.0.

From my docker compose log:

heimdall_api          | Failed to insert module 'autofs4': No such file or directory
heimdall_api          | systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
heimdall_api          | Detected virtualization docker.
heimdall_api          | Detected architecture x86-64.
heimdall_api          |
heimdall_api          | Welcome to Ubuntu 18.04.6 LTS!
heimdall_api          |
heimdall_api          | Set hostname to <28176e1eef6a>.
heimdall_api          | Failed to create /init.scope control group: Read-only file system
heimdall_api          | Failed to allocate manager object: Read-only file system
heimdall_api          | [!!!!!!] Failed to allocate manager object, freezing.
heimdall_api          | Freezing execution.

Dropping back to Docker Desktop 4.2.0 fixes the issue. I assume that it's related to the note in the 4.3.0 release notes:

Docker Desktop now uses cgroupv2. If you need to run systemd in a container then:
* Ensure your version of systemd supports cgroupv2. It must be at least systemd 247. Consider upgrading any centos:7 images to centos:8.
* Containers running systemd need the following options: --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw.

If so, though, it's going to break a bunch of people on older images.

[madrover]

Good catch @wpwood!
That new Docker Desktop version with the behavior change regarding systemd has been released exactly the same day I had my new M1 delivered. I was wondering why I wasn't seeing more reports about this matter, now I understand... hehehe

I haven't done much testing, but I've downgraded my M1 MBP Docker Desktop to 4.2.0 and systemd services seem correct when using an aarch64 and amd64 centos:7 containers, albeit considerably slower in the second (1'' vs 30'' aprox...). Next week I'll have a go on my Intel MBP and see how it behaves.

The requirement of systemd-247 seems quite steep. At the time of writing not even Centos 8 stream has it, being systemd-239-51 its current version, see https://pkgs.org/download/systemd. So, yeah, this is going to have a noticeable impact.

[elishagreenwald]

The requirement of systemd-247 seems quite steep. At the time of writing not even Centos 8 stream has it, being systemd-239-51 its current version, see https://pkgs.org/download/systemd. So, yeah, this is going to have a noticeable impact.

+1 to this. Is there any chance you'd consider an option which version of cgroups to use so you don't break backwards compatibility? I think some folks who are using systemd with centos7 will appreciate it although who runs systemd in docker containers?!? ✋ I do, lol.

[djs55]

Thanks for the report. It looks like the release note recommending 247 is overly pessimistic (perhaps relevant changes were backported?)

Here's a Dockerfile I tried (on Windows but I think Mac should be the same)

FROM centos:7
ENV container docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
RUN yum -y install httpd; yum clean all; systemctl enable httpd.service
EXPOSE 80
CMD ["/usr/sbin/init"]

and here's what I ran:

PS ...> docker build -t centos-7-test .
[+] Building 0.1s (7/7) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                                            0.0s
 => => transferring dockerfile: 32B                                                                                                                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                                                               0.0s
 => => transferring context: 2B                                                                                                                                                                                                 0.0s
 => [internal] load metadata for docker.io/library/centos:7                                                                                                                                                                     0.0s
 => [1/3] FROM docker.io/library/centos:7                                                                                                                                                                                       0.0s
 => CACHED [2/3] RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); rm -f /lib/systemd/system/multi-user.target.wants/*;rm -f /etc/systemd/system/  0.0s
 => CACHED [3/3] RUN yum -y install httpd; yum clean all; systemctl enable httpd.service                                                                                                                                        0.0s
 => exporting to image                                                                                                                                                                                                          0.0s
 => => exporting layers                                                                                                                                                                                                         0.0s
 => => writing image sha256:0490abd5374172376e312e836f0e53447648ba8e3191c7bb167e9397d0592ae8                                                                                                                                    0.0s
 => => naming to docker.io/library/centos-7-test                                                                                                                                                                                0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them

PS ...> docker run --rm --name systemd --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cgroupns=host -p 8080:80 -it centos-7-test
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!

Set hostname to <6fc030c2ff3f>.
Initializing machine ID from random generator.
[  OK  ] Reached target Paths.
[  OK  ] Reached target Swap.
[  OK  ] Reached target Local File Systems.
[  OK  ] Created slice Root Slice.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Listening on Journal Socket.
[  OK  ] Created slice System Slice.
[  OK  ] Reached target Slices.
         Starting Create Volatile Files and Directories...
         Starting Journal Service...
[  OK  ] Started Create Volatile Files and Directories.
[ INFO ] Update UTMP about System Boot/Shutdown is not active.
[DEPEND] Dependency failed for Update UTMP about System Runlevel Changes.
Job systemd-update-utmp-runlevel.service/start failed with result 'dependency'.
[  OK  ] Started Journal Service.
[  OK  ] Reached target System Initialization.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Reached target Timers.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
         Starting The Apache HTTP Server...
         Starting Cleanup of Temporary Directories...
[  OK  ] Started Cleanup of Temporary Directories.
[  OK  ] Started The Apache HTTP Server.
[  OK  ] Reached target Multi-User System.

I was able to open localhost:8080 in my browser.

Could you try docker pull centos:7? It might be that patches were backported and the systemd version bumped in the latest image.

For reference I'm using

PS ...> docker run -it centos:7
[root@43b9a4866ece /]# rpm -qi systemd
Name        : systemd
Version     : 219
Release     : 78.el7
Architecture: x86_64

[djs55]

Looking more closely at your setup compared to mine, I think my command-line arguments are different:

docker run --privileged -v /sys/fs/cgroup:/sys/fs/cgroup

vs

docker run --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cgroupns=host 

[madrover]

Many thanks for your input @djs55, but I'm afraid it's not working for me, either on my arm64 nor x86 laptops. I'm using the same Dockerfile and the output on both laptops is the same:

$ docker build --no-cache -t centos-7-test .
[+] Building 48.5s (7/7) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                                                    0.1s
 => => transferring dockerfile: 674B                                                                                                                                                                                                    0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                       0.1s
 => => transferring context: 2B                                                                                                                                                                                                         0.0s
 => [internal] load metadata for docker.io/library/centos:7                                                                                                                                                                             0.0s
 => CACHED [1/3] FROM docker.io/library/centos:7                                                                                                                                                                                        0.0s
 => [2/3] RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); rm -f /lib/systemd/system/multi-user.target.wants/*;rm -f /etc/systemd/system/*.wants/*;rm -f  0.5s
 => [3/3] RUN yum -y install httpd; yum clean all; systemctl enable httpd.service                                                                                                                                                      47.2s
 => exporting to image                                                                                                                                                                                                                  0.6s
 => => exporting layers                                                                                                                                                                                                                 0.5s
 => => writing image sha256:1a5df5220c15b54d9cfef8bbf85f499efba29616b0db7734ea1c805c00f80579                                                                                                                                            0.0s
 => => naming to docker.io/library/centos-7-test                                                                                                                                                                                        0.0s
$  docker run --rm --name systemd --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cgroupns=host -p 8080:80 -it centos-7-test
Failed to insert module 'autofs4'
Failed to create symlink /sys/fs/cgroup/net_cls: Operation not permitted

On the other hand, I've tested the same with the same Dockerfile but using centos:8 and it works flawlessly. I guess the key difference is the usage of Cgroups v2, which does not seem to be enabled by default on Centos 7 but it does on Centos 8, see https://www.redhat.com/en/blog/world-domination-cgroups-rhel-8-welcome-cgroups-v2.

Given that Centos 7 is still a supported and widely used platform, I would suggest to make the Cgroups V2 requirement in Docker for Mac optional. I don't have any data to back my assumption, but I would say that Centos 7 is still more prevalent than Centos 8 right now, specially with the the Centos license change which EOLs Centos 8 in a few weeks.

I'll downgrade Docker Desktop to 4.2.0 for now...

[wbaweto]

you can see docker desktop 4.3.0 release notes: https://docs.docker.com/desktop/mac/release-notes/

Docker Desktop now uses cgroupv2. If you need to run systemd in a container then:

Ensure your version of systemd supports cgroupv2. It must be at least systemd 247. Consider upgrading any centos:7 images to centos:8

Containers running systemd need the following options: --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw.

[junoteam]

If anybody interested how to run Ubuntu 22:04 Docker with systemd inside: rofrano/vagrant-docker-provider#5

[carlosabalde]

Temporarily downgrading to 4.2.0 here too. Is there any chance for that option to decide which version of cgroups to use?

[carlosabalde]

I've shared a few notes in systemd/systemd#19760 (comment) that I think could be useful to other people landing in this case.

[jamshid]

Just to be clear before this regression I could run systemd in a centos:7 container without --privileged and /sbin/init started fine -- systemctl status and restart worked fine. I just had to add this docker-compose-override.yml with these additional settings for my container:

  myapp:
     # Running myapp service on centos7 with systemd is a PAIN
    cap_add:
      - SYS_ADMIN
    tmpfs: /run
    volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      - container=docker

While I know it's not good practice to run systemd in a container it's important for being able to simulate a "regular" environment using containers e.g. to run QA scripts that use systemctl. I believe podman advertises systemd compatibility, seems important to maintain parity.

[djs55]

As an experiment, could you try using this development build: https://desktop-stage.docker.com/mac/main/arm64/72295/Docker.dmg You will need to edit ~/Library/Group\ Containers/group.com.docker/settings.json to add

"legacyCgroupv1": true,