Control: affects -1 release-notes Hi Arnaud! Adding src:docker.io maintainers and Shengjing Zhu (recent uploader) to CC list. Arnaud Rebillout <arnaudr@kali.org> writes: > Hello Nicholas! Thanks for your feedback here, see replies below. > You're welcome :-) > On Sun, 11 Apr 2021 11:51:20 -0400 Nicholas D Steeves > <nsteeves@gmail.com> wrote: > > > I'm not sure that systemd-detect-virt and your patch are > > forward-compatible in light of [snip] > > This makes it sounds like ".dockerenv" may be deprecated and later > > removed. > > That's a good point, but it's also a 5 years old comment, and the > .dockerenv file is still present these days. > > I would think that if Docker plans to remove it, they will issue a more > formal deprecation warning that will give us enough time to fix things > on our side. Also the fact that systemd checks for this file gives me > more confidence that it's not just me doing something fancy here: it > seems that this is the "de facto" solution to detect docker containers. > > FWIW, it's also the most common solution on Q&A sites like > stackoverflow. Other people do that, because there is no better solution > provided apparently. Unless I missed it. > Yes, I agree; It appears to be the defacto solution, and might very well be the only solution for Bullseye in the sense that "perfect is the enemy of the good", ie: that it's better to solve this issue in a non-future compatible way to solve a bonafide issue in Bullseye; Later, a future alternative to /.dockerenv can be documented in Debian.NEWS and/or release-notes for Bookworm. > > Cgroup v2 is also mounted at /sys/fs/cgroup, so I wonder if the original > > check should be rewritten to check for something under this path instead > > of mountinfo? Also, using this /sys/fs/cgroup method, I'm not sure if > > it's better debootstrap style to express the OR logical operator in the > > regex or a shell "||" (ie: seems to be needed because the tree under > > /sys/fs/cgroup is different between v1 and v2). > > I just had a quick look in /sys/fs/cgroup from within a container. > Nothing obvious stands out, there's no file named docker, and nothing in > the content of those files mentions docker. I'll attach the output below. > > I will CC Tianon, as he was the author of the comment mentioned above, > and he might know better, 5 years after :) > > In short, Tianon, if you're reading those lines, our question is: what > would be the right way to detect that we're running from within a docker > container, apart from checking for the existence of the file > `/.dockerenv` ??? > Thank you for this investigation! I was also unable to find an alternative is_running_in_docker cgroupv2 check using /sys/fs/cgroup. Hopefully one of the src:docker.io maintainers knows! I've also added "affects release-notes" (and filed separate release-notes bugs) to defend against a worst-case scenario where this bug isn't resolved in time. Regards, Nicholas
Attachment:
signature.asc
Description: PGP signature