Moby: Docker stack deploy does not support systemd containers (cap_add, tmpfs)

0

Nobody wants to run systemd in a container, but it's necessary because not all software is docker-ready, or docker is being used to simulate a production system.

It's great that docker 1.13 can now deploy a docker-compose.yml to swarm, but the limited configuration support means systemd containers will not run. docker stack deploy reports:

Ignoring unsupported options: cap_add, devices, privileged, security_opt, tmpfs

When will stack/bundle/dab/whatever support systemd containers, which require cap_add and tmpfs? 

    cap_add:
      - SYS_ADMIN
    tmpfs: /run
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    environment:
      - container=docker

Ref https://github.com/docker/docker/issues/28614#issuecomment-261724902

PS: devices would also be very useful especially if the value could somehow be made different on different swarm nodes.

jamshid picture jamshid  ·  8 Feb 2017

Most helpful comment

22

@thaJeztah I know this has been closed for awhile, but is there a status update on "privileged: true" working for docker stack? It seems you linked docker#25885 for both cap-add/remove and privileged.

Flaniga3 picture Flaniga3  ·  24 May 2017

All comments

0

The main issue for swarm mode features is https://github.com/docker/docker/issues/25303 with links to more specific issues.

justincormack picture justincormack  ·  9 Feb 2017
0

Thanks for reporting @jamshid

I think the requirements for this are covered by https://github.com/docker/docker/issues/25885 (--cap-add / --cap-remove) and https://github.com/docker/docker/issues/25885 (--privileged).

w.r.t. tmpfs, services allow adding a tmpfs using --mount, which may be a more generic solution

I'll close this issue, because the requirements for this are tracked through the linked issues, but feel free to continue the conversation.

thaJeztah picture thaJeztah  ·  9 Feb 2017
22

@thaJeztah I know this has been closed for awhile, but is there a status update on "privileged: true" working for docker stack? It seems you linked docker#25885 for both cap-add/remove and privileged.

Flaniga3 picture Flaniga3  ·  24 May 2017
7

Joining @Flaniga3 with the question

svscorp picture svscorp  ·  26 Jul 2017
Tags:
arestack
areswarm
kinenhancement
Project: moby/moby
Source: Link

Related issues

0 Moby: Delete "all" for docker rm and docker rmi
0 Moby: COPY still invalidates cache when no files have changed.
0 Moby: Cannot start container on CentOS 7.3 when namespaces are enabled.
8 Moby: Security Proposal: add "--pids-limit" to "docker service create/update" option list
0 Moby: docker: Error response from daemon: failed to create endpoint postgres on network bridge: failed to add the host (veth4ea851e) <=> sandbox (vethcd53b3f) pair interfaces: operation not supported.

Popular issues

196 Pluggable storage backends (was Support for Consul K/V storage)
33 database/sql: should support a way to perform bulk actions
22 User accounts
31 Allow `docker start` to take environment variables
26 docker commit data container with VOLUME