Am 24.12.22 um 03:28 schrieb Samer Afach:
Dear Raf:
That's actually what I do on all the bare-metal machines, but from my
understanding of how docker works, every container is made to run
exactly one service, and somehow default Linux images disable system
services. They can be re-enabled, but it's not the way it's meant to
work, and given that I'm just a beginner in this whole docker thing,
I'm trying not to jump over rooftops before some time passes by and I
feel comfortable with everything I've done so far and build the
confidence of "It worked for a while, now let's try changing that one
thing".
This can get much worse for beginners, and it took me a while to get
email working properly. If you notice in my setup, you'll see that
postfix, dovecot and OpenDKIM each is running in its own container
(and they all must be running in foreground mode to access logging).
Luckily, sharing socket files in Linux is allowed among containers,
and the reasoning there, if I understand correctly, is that all these
containers use the same kernel, and that's the only required
condition. This simplified my setup a lot. Over time I'll have to move
everything to inet and stop using socket files because it sounds dirty.
Whether you expose one IP socket or one filesystem unix socket - what's
the difference? Either punches a dedicated hole into the container's
isolation layer.
The worst part in all this is OpenDKIM. It doesn't support stdout
logging, which means I have to force the rsyslog service to work to
see any errors, but given that its docker should start with exactly 1
program in the foreground, I don't know how to print the logs with
something like tail since OpenDKIM is running in the foreground.
Another problem to be looking into soon when I'm done with all these
more prior piling issues.
For manual debugging, docker exec and running a shell or tail is what
you will be looking for, with similar options to those you give to
docker run - only that exec assumes a running container and puts a
second process into it, rather than creating one from an image.
And then I wonder if it's about time to suggest unprivileged mode, or
podman for that matter...
Regards,
Matthias
