I'm having a dockerfile that runs fine with CentOS as a baseimage and enabled systemd, as suggested on CentOS official docker hub image documentation - https://hub.docker.com/_/centos/.
I'll have to start my container using this following command -
docker run -d -p 8080:8080 -e "container=docker" --privileged=true -d --security-opt seccomp:unconfined --cap-add=SYS_ADMIN -v /sys/fs/cgroup:/sys/fs/cgroup:ro myapplicationImage bash -c "/usr/sbin/init"Till here, everything works like a charm, I can run my image and everything works fine. I'm trying to deploy my image to Azure Container service, so I was trying to create a yaml file that uses this docker image and creates a cluster.
My Yaml file looks like this.
apiVersion: apps/v2beta1
kind: Deployment
metadata:
name: myapp-test
spec:
replicas: 1
template:
metadata:
labels:
app: myapp-test
spec:
containers:
- name: myapp-test
image: myappregistry.azurecr.io/myapp-test:1.0
ports:
- containerPort: 8080
args: ["--allow-privileged=true","bash"]
securityContext:
capabilities:
add: ["SYS_ADMIN"]
privileged: true
command: [ "-c","/usr/sbin/init" ]
imagePullSecrets:
- name: myapp-secret-test
---
apiVersion: v1
kind: Service
metadata:
name: myapp-test
spec:
type: LoadBalancer
ports:
- port: 8080
selector:
app: myapp-testThis doesn't spin-up my image. The above is a kubernetes cluster yaml file. I've also tried Docker-Compose.
version: '3'
services:
myapp-test:
build: ./myapp-folder
environment:
- container=docker
volumes:
- ./sys/fs/cgroup:/sys/fs/cgroup:ro
ports:
- "8082:8080"
privileged: true
cap_add:
- SYS_ADMIN
security_opt:
- seccomp:unconfined
command: "/usr/sbin/init" Both of these configurations fails to create containers. I'm using same configuration as mentioned in above docker run time command and converted that into yaml. But runtime command works and I can access my application, but yaml files fail. Am I missing anything?
here is my kubernetes error:
➜ $ kubectl get po --watch
NAME READY STATUS RESTARTS AGE
myapp-test-6957c57f6c-zmbt6 0/1 RunContainerError 4 9m
myapp-test-6957c57f6c-zmbt6 0/1 CrashLoopBackOff 4 9m
➜ $ kubectl get svc --watch
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myapp-test LoadBalancer 10.0.X.XXX 120.XXX.XX.XXX 8080:30150/TCP 12m
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 43mIn case of Docker Compose:
The container gets kicked in fine, but the service inside my application fails to start. I cannot reach my localhost:8080, but container keeps running.
I'm thinking if it has something to do with my systemd enabled container while accessing it on compose or cluster?
Thanks!
I figured it out. I need to add some additional configuration into my centOS image to enable systemd.
# named (dns server) service
RUN yum install -y bind bind-utils
RUN systemctl enable named.service
# webserver service
RUN yum install -y nginx
RUN systemctl enable nginx.service
#Without this, init won't start the enabled services and exec'ing and starting
them reports "Failed to get D-Bus connection: Operation not permitted".
VOLUME /run /tmpNow my docker container is up and running.
Thanks :)
According to the fine manual, if you provide command: it supersedes ENTRYPOINT, and args: supersedes CMD, meaning your final "command" that image runs is:
-c /usr/sbin/init --allow-privileged=true bashwhich looks very suspicious with the leading -c, especially since your docker-compose.yml only contains /usr/sbin/init.