Docker 容器 yum 安装软件，systemd 程序无法启动

当我们创建容器后，使用yum 安装一个 httpd 服务，在启动时会报错没有权限

• 创建容器

[root@localhost ~]# docker run -itd --name httpd centos /bin/bash
fd71b36db40e91b88b7d55998def0a09cc3cc6ce1709f210ce42406f2124b0f7

• 进入容器并安装 httpd

[root@localhost ~]# docker exec -it httpd /bin/bash
[root@fd71b36db40e /]# yum -y install httpd

• 启动 http的
  • 当我们使用 systemctl 启动httpd 服务
  • 警告我们权限不足

[root@fd71b36db40e /]# systemctl start httpd
Failed to get D-Bus connection: Operation not permitted

1. 通过 --privileged 进行提权

• 可以在创建容器的进行提权
  • 通过 --privileged 参数进行提权
  • --privileged 运行于/sbin/init 环境当中

[root@localhost ~]# docker run -itd --name http --privileged centos /sbin/init 
26fd217eab9ea04219f3ea1043fbae6f046d9b7b6ffb2ad7f52a2a0714395f4a
[root@localhost ~]# docker exec -it http /bin/bash
[root@26fd217eab9e /]# yum -y install httod

• 启动 httpd

[root@26fd217eab9e /]# systemctl start httpd
[root@26fd217eab9e /]# netstat -anpt | grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      188/httpd      

• 删除 容器 http
  • 如果不及时退出容器，且删除，会长时间占用权限

[root@localhost ~]# docker rm -f http
http

2. 第二种

• 通过查看/usr/lib/systemd/system/ 目录下 服务启动文件，来找到 ExecStart 启动方法

/usr/lib/systemd/system/

• 创建容器
  • 且安装httpd

[root@localhost ~]# docker run -itd --name http centos /bin/bash
772e06c9f4d4b94f1b8b1c9c303de0f1124eae67f162999b43a0fea25c3863c7
[root@localhost ~]# docker exec -it http /bin/bash
[root@772e06c9f4d4 /]# yum -y install httpd

• 查看 httpd 服务的启动方法

[root@772e06c9f4d4 /]# cat /usr/lib/systemd/system/httpd.service 
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND			//  启动方法
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful			//  重载方法
ExecStop=/bin/kill -WINCH ${MAINPID}					//  关闭方法
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true

[Install]
WantedBy=multi-user.target

• 启动httpd 服务

[root@772e06c9f4d4 /]# /usr/sbin/httpd 
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message

[root@772e06c9f4d4 /]# netstat -anpt | grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      98/httpd