0x00 Preface
Recently installed the CentOS7 image of docker on Mac, intending to open an sshd service, use the command:
$ systemctl start sshd
As a result, an error message is prompted when starting the sshd service:
Failed to get D-Bus connection: No such file or directory
0x01 Operating environment
| Version | |
|---|---|
| macOS version | Monterey 12.0.1 |
| chip | M1 |
| Docker Desktop version | 4.15.0 |
0x02 problem analysis
D-Bus is an efficient and easy-to-use inter-process communication method similar to socket.
D-Bus is divided into two types: system bus (system bus), which is used for communication and messages between the system (Linux) and user programs transfer; session bus (session bus), used for communication between user programs.
Because systemctl communicates with systemd using D-Bus, D-Bus error means either there is a problem with the client or there is a problem with systemd. It is confirmed here that there is a problem with systemd, and the systemd process in the container has not started.
What is systemctl?
That’s because “systemctl” talks to the systemd daemon by using the d-bus. In a container there is no systemd-daemon. Asking for a start will probably not quite do what you expect - the dev-mapping need to be a bit longer.
systemd is a program integrated with cgroup to manage system resources. If there is a problem with cgroup here, it will cause problems with systemd.
docker desktop mentioned in the 4.3.0 version release-notes [ transmission gate ]:
Docker Desktop now uses cgroupv2. If you need to run systemd in a container then:
Ensure your version of systemd supports cgroupv2. It must be at least systemd 247. Consider upgrading any centos:7 images to centos:8.
Containers running systemd need the following options: --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw.
The general meaning is:
Docker Desktop software uses cgroups v2 from version 4.3.0. If you want to run systemd in a container:
Method 1: Make sure your systemd version supports cgroups v2, and the minimum version of systemd is 247. You can consider directly upgrading centos7 to centos8.
Method 2: Run systemd in the container with the following parameters:--privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw
Here again, what is cgroup?
Cgroups is the abbreviation of control groups. It is a mechanism provided by the Linux kernel that can limit, record, and isolate the physical resources used by process groups. It was first proposed by google engineers, and later integrated into the Linux kernel. Therefore, Cgroups provides a basic guarantee for container virtualization, and is the cornerstone of building a series of virtualization management tools such as Docker and LXC.
The docker container is realized by linux based on namespace to realize file system and process isolation of cpu, memory, network and other system resources.
How to limit the resource usage of multiple containers has become the main problem after solving the isolation of process virtual resources, and Control Groups (CGroups for short) can isolate physical resources on the host machine, such as CPU, memory, disk I/O and network bandwidth.
The CGroup of Linux can allocate resources for a group of processes, that is, the CPU, memory, network bandwidth and other resources we mentioned above. Through the allocation of resources, CGroup can provide the following functions: In the cgroups v1 version,
/ Resources such as cpu, memory, and device are defined in the sys/fs/cgroups directory. Creating a new cgroup group means creating a group directory under these resources. For example, when docker creates a new container, the docker folder will appear under the cpu directory. Under the docker folder, there is a directory of 5ada8be1dadb9d66f565a1d58b214df37c630c80022e5d141282d17ab8248e97, where 5ada8xxxx is the hash of the container.
sh-4.2# ls /sys/fs/cgroup/
blkio cpu cpu,cpuacct cpuacct cpuset devices freezer hugetlb memory net_cls net_cls,net_prio net_prio perf_event pids rdma systemd
The permission of cgroup v1 version is too large, and the confusion of isolation strategy will lead to some security problems, so the cgroup v2 version can allow docker to run docker daemon under non-root permission, reducing the security problems such as escape caused by excessive permission of docker container .
Therefore, cgroup v2 is used in docker desktop 4.3.0, and the default systemd version of centos7 is 216. These two things are incompatible, which makes systemctl unable to work normally.
A foreigner raised this issue in https://github.com/docker/for-mac/issues/6073. At first, he thought it was a problem with mac, but later found that this problem also exists in ubuntu20.10. So everyone started looking for a solution.
The solution here has been mentioned just now, which is to upgrade the systemd version, or use mapping to release the cgroup of the container for docker desktop.
Of course, later, since centos7 is a mainstream operating system, too many people use it, and the maintainer added compatibility with cgroup v1 in settings.json. This problem can be solved by changing a configuration, without mapping /sys/fs/cgroup or upgrading systemd.
The solution can be seen in the announcement of the docker desktop 4.4.2 version:
Added a deprecated option to settings.json: “deprecatedCgroupv1”: true, which switches the Linux environment back to cgroups v1. If your software requires cgroups v1, you should update it to be compatible with cgroups v2. Although cgroups v1 should continue to work, it is likely that some future features will depend on cgroups v2. It is also possible that some Linux kernel bugs will only be fixed with cgroups v2.
0x03 solution
The specific operation is as follows:
Edit ~/Library/Group\ Containers/group.com.docker/settings.json to modify the "legacyCgroupv1" parameter to true, and the default is false
legacyCgroupv1: true,
0x04 References
https://github.com/docker/for-mac/issues/6073
https://github.com/scylladb/scylladb/issues/7071
https://bugzilla.redhat.com/show_bug.cgi?id=1760645
https://www.leyeah.com/article/cgroups-dockerprinciple-677345
https://www.cnblogs.com/sparkdev/p/9523194.html
https://ehds.github.io/2021/01/21/docker_systemctl/
https://www.infoq.cn/article/fuoi4c3l0npztxarhjnn
https://zorrozou.github.io/docs/%E8%AF%A6%E8%A7%A3Cgroup%20V2.html
https://zhuanlan.zhihu.com/p/143253843