优化Dockerfile以支持非特权模式启动
YKSam opened this issue · 2 comments
YKSam commented
根据这篇文章的建议,可以通过添加相应配置,实现非特权模式启动容器中systemd。容器应当尽量避免以特权模式启动。
YKSam commented
贴一份yaml,保存到docker-compose.yml文件,docker-dompose up -d命令就可以直接把两个容器初始化,不用特权。
注意这个yaml中两个容器都会是host网络启动,可以优化。
version: "3.6"
services:
trojan:
command:
- "--log-level=info"
- "--unit=sysinit.target"
container_name: "trojan"
entrypoint:
- "/usr/lib/systemd/systemd"
stop_signal: "SIGRTMIN+3"
environment:
- "TZ=Asia/Shanghai"
- "container=docker"
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
image: "jrohy/trojan:latest"
ipc: "private"
labels:
maintainer: "Jrohy <euvkzx@Jrohy.com>"
org.label-schema.build-date: "20201113"
org.label-schema.license: "GPLv2"
org.label-schema.name: "CentOS Base Image"
org.label-schema.schema-version: "1.0"
org.label-schema.vendor: "CentOS"
org.opencontainers.image.created: "2020-11-13 00:00:00+00:00"
org.opencontainers.image.licenses: "GPL-2.0-only"
org.opencontainers.image.title: "CentOS Base Image"
org.opencontainers.image.vendor: "CentOS"
logging:
driver: "json-file"
options: {}
network_mode: "host"
restart: "unless-stopped"
stdin_open: true
tty: true
tmpfs:
- "/tmp"
- "/run"
- "/run/lock"
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:ro"
- "/sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd"
- "/sys/fs/fuse:/sys/fs/fuse"
mariadb-trojan:
command:
- "mysqld"
container_name: "mariadb-trojan"
entrypoint:
- "docker-entrypoint.sh"
environment:
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
- "GOSU_VERSION=1.14"
- "MARIADB_MAJOR=10.2"
- "MARIADB_VERSION=1:10.2.44+maria~bionic"
- "TZ=Asia/Shanghai"
- "MYSQL_ROOT_PASSWORD=trojan"
- "MYSQL_ROOT_HOST=%"
image: "mariadb:10.2"
ipc: "private"
logging:
driver: "json-file"
options: {}
network_mode: "host"
restart: "unless-stopped"
stdin_open: true
tty: true
volumes:
- "/var/lib/mysql"YKSam commented
注意容器中systemd是以sysinit.target启动,service中的[Install]字段也应该对应修改。
[Install]
WantedBy=sysinit-user.target另外service应该放在/lib/systemd/system目录下。