非特权容器内使用systemd

使用 privileged来启动systemd容器，存在风险，特权模式下可以 remount 主机分区， 能够在容器内操作宿主机文件.

参考 https://www.cnblogs.com/xiaozi/p/13423853.html 特权模式（—privileged）的漏洞

 

根据 https://developers.redhat.com/blog/2014/05/05/running-systemd-within-docker-container

描述 是因为旧版容器不支持CAP_SYS_ADMIN导致的

After investigating the failures, I found that systemd requires CAP_SYS_ADMIN capability but Docker drops that capability in the non privileged containers, in order to add more security. This means for now you have to run systemd within a privileged container since privileged containers do not drop any capabilities. There is a patch upstream to allow users to add capabilities to a docker container. Once this patch gets merged, I think you would be able to run in a non privileged container by turning on the CAP_SYS_ADMIN capability.

 

由于docker https://github.com/moby/moby/pull/6968 这一更新 使 docker支持容器内可以使用 systemd只需 --cap-add=SYS_ADMIN 参数

 

不开启特权启动systemd容器，配置如下：

docker run --cap-add=SYS_ADMIN --name httpd2 -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 8082:80 -d httpd:1

 

参考官方 的systemd 容器 https://hub.docker.com/r/centos/systemd