Re: detect_container() for recent(?) docker

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On So, 26.01.20 11:55, Matwey V. Kornilov (matwey.kornilov@xxxxxxxxx) wrote:

> Hello,
>
> I've just found that an assumption used inside detect_container() is
> not always true, and that leads to virtualization misdetection.
> Namely, I am running systemd inside docker (19.03.5) container on
> ubuntu (18.04.2 kernel version is 4.15.0-45-generic).
>
>         /* Interestingly /proc/1/sched actually shows the host's PID
> for what we see as PID 1. If the PID
>          * shown there is not 1, we know we are in a PID namespace and
> hence a container. */
>  check_sched:
>         r = read_one_line_file("/proc/1/sched", &m);
>
> However, I see the following when reading this file in the container:
>
> 64813fe8f025:/ # cat /proc/1/sched
> bash (1, #threads: 1)

Yes, this is known, and to our knowledge not really fixable, as
there's no nice way to detect containers entirely generically these
days (or more specifically: detect whether we are in a pidns that is
not the main one).

Also see:

https://github.com/systemd/systemd/pull/8200

> Unfortunately, this leads to virtualization misdetection on systemd
> startup (docker host runs inside kvm):

So, docker is the only container engine to my knowledge that refuses
to play nice by default and is thus unwilling to implement the
$container env var by default. To make the container env detectable
you hence have to set the env var manually in your containers.

Sorry for that, but there's nothing we can do about this. The kernel took
the only somewhat generic mechanism to detect containers away from us
and the Docker people aren't willing to make their stuff detectable,
hence there's nothing we can do.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel