Unprivileged lighttpd container with systemd init on centos7

Dockerfile

# Dockerfile for lighttpd

FROM centos/systemd

RUN yum install -y epel-release; \
        yum update -y; \
        yum install -y lighttpd; \
        yum clean all; \
        rm -rf /var/cache/yum/*; \
        systemctl enable lighttpd;

# This might just be fixed, but I read that this signal is what systemd wants to see for a "shutdown" signal.
STOPSIGNAL SIGRTMIN+3
EXPOSE 80

CMD ["/sbin/init"]

execute_on_host.sh

# Build the image
docker build -t lighttpd .

# Allow containers to manage cgroups - needed for systemd init
# This is way safer that running privileged
setsebool -P container_manage_cgroup 1

# Run the container
docker run -ti  -p8000:80  lighttpd

# You'll see the output of systemd showing the successful loading of the 
# lighttpd services and the other processes it does on startup (like journald, etc)

# The network ports above don't work as intended. From inside the container I can 
# `curl localhost` just fine. I can't `curl localhost:8000` from the host. I'll update this gist when I figure it out.

References.md

References

• Older blog post, but covered the permissions and why you might should use systemd for a container init. https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
• I found the setsebool command b/c I tried the command at the end of ^^ that article and noticed selinux errors on my host