- Older blog post, but covered the permissions and why you might should use systemd for a container init. https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
- I found the
setsebool
command b/c I tried the command at the end of ^^ that article and noticed selinux errors on my host
Last active
January 17, 2018 22:08
-
-
Save dcode/8e815fd470c7a77580c389dc94d0d531 to your computer and use it in GitHub Desktop.
Unprivileged lighttpd container with systemd init on centos7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Dockerfile for lighttpd | |
FROM centos/systemd | |
RUN yum install -y epel-release; \ | |
yum update -y; \ | |
yum install -y lighttpd; \ | |
yum clean all; \ | |
rm -rf /var/cache/yum/*; \ | |
systemctl enable lighttpd; | |
# This might just be fixed, but I read that this signal is what systemd wants to see for a "shutdown" signal. | |
STOPSIGNAL SIGRTMIN+3 | |
EXPOSE 80 | |
CMD ["/sbin/init"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Build the image | |
docker build -t lighttpd . | |
# Allow containers to manage cgroups - needed for systemd init | |
# This is way safer that running privileged | |
setsebool -P container_manage_cgroup 1 | |
# Run the container | |
docker run -ti -p8000:80 lighttpd | |
# You'll see the output of systemd showing the successful loading of the | |
# lighttpd services and the other processes it does on startup (like journald, etc) | |
# The network ports above don't work as intended. From inside the container I can | |
# `curl localhost` just fine. I can't `curl localhost:8000` from the host. I'll update this gist when I figure it out. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment