Transition devcontainers to systemd as init system (#162)

* Transition devcontainers to systemd as init system

systemd 257 has excellent container support — auto-detecting container
environments via /.dockerenv, gracefully skipping host-only mounts,
falling back to unsandboxed generators when namespace sandboxing fails,
and disabling unnecessary services via ConditionVirtualization=!container.
Running systemd as PID 1 in privileged Docker containers just works now,
so let's transition the devcontainers to better match HAOS and Supervised
installations where Supervisor normally runs.

Key changes:

- Run systemd as PID 1 via /sbin/init with overrideCommand: false
- Remove the fake systemctl and policy-rc.d shipped by the Microsoft
  base images, which silently blocked all service management at build
  time
- Make sure all required services which are not enabled by default are
  enabled (haos-agent, journal-gatewayd) via systemctl enable in the
  Dockerfile so they start automatically on boot
- Mask unnecessary units (networkd, getty) to avoid interference
- Remove all manual daemon start/stop functions from the common scripts
  (start_docker, stop_docker, init_dbus, init_udev, init_os_agent,
  start_systemd_journald) — systemd manages the full service lifecycle
- Clean up supervisor_run scripts to only handle Supervisor-specific
  logic (build, run, cleanup) since services are already running
- Remove machine-id regeneration from supervisor_bootstrap, systemd
  handles this at boot
- Add /var/lib/containerd volume mount alongside /var/lib/docker, since
  modern Docker uses the containerd snapshotter which stores state in
  its own top-level directory rather than under /var/lib/docker
- Move systemd-journal-remote and systemd-resolved installs into the
  Dockerfiles directly
- Set up persistent journal storage via systemd-tmpfiles at build time
- Use dbus-broker as D-Bus broker (used by HAOS)

* Fail if curl isn't able to fetch version information

* Bump container image version in devcontainer.json template

Author: agners

apps/Dockerfile

@@ -10,9 +10,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN \
     apt-get update \
     && apt-get install -y --no-install-recommends \
-        dbus \
+        dbus-broker \
         network-manager \
         libpulse0 \
+        systemd-journal-remote \
+        systemd-resolved \
         xz-utils
 
 COPY ./common/rootfs /
@@ -30,3 +32,27 @@ RUN \
     && usermod -aG docker vscode
 
 COPY ./apps/rootfs /
+
+# Configure systemd as init system
+# Remove the fake systemctl and policy-rc.d that the base image ships
+# to prevent service management during build. We need the real systemctl
+# since this container runs systemd as PID 1.
+RUN rm -f /usr/local/bin/systemctl /usr/sbin/policy-rc.d
+
+# Mask unnecessary systemd units to make sure they don't interfere
+RUN systemctl mask \
+    systemd-networkd.service \
+    systemd-networkd-wait-online.service \
+    getty@.service \
+    serial-getty@.service
+
+# Create persistent journal directory so journald stores logs on disk
+RUN systemd-tmpfiles --create --prefix /var/log/journal
+
+# Enable services which are otherwise disabled by default
+RUN systemctl enable \
+    haos-agent \
+    systemd-journal-gatewayd
+
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]

apps/devcontainer.json

@@ -1,6 +1,8 @@
 {
   "name": "Example devcontainer for apps repositories",
-  "image": "ghcr.io/home-assistant/devcontainer:2-apps",
+  "image": "ghcr.io/home-assistant/devcontainer:4-apps",
+  "overrideCommand": false,
+  "remoteUser": "vscode",
   "appPort": ["7123:8123", "7357:4357"],
   "postStartCommand": "bash devcontainer_bootstrap",
   "runArgs": ["-e", "GIT_EDITOR=code --wait", "--privileged"],
@@ -28,6 +30,8 @@
   },
   "mounts": [
     "type=volume,target=/var/lib/docker",
-    "type=volume,target=/mnt/supervisor"
+    "type=volume,target=/var/lib/containerd",
+    "type=volume,target=/mnt/supervisor",
+    "type=tmpfs,target=/tmp"
   ]
 }

apps/rootfs/usr/bin/supervisor_run

@@ -6,10 +6,6 @@ source /etc/supervisor_scripts/common
 
 echo "Run Supervisor"
 
-start_systemd_journald
-start_docker
-trap "stop_docker" ERR
-
 function run_supervisor() {
     validate_devcontainer "apps"
 
@@ -35,21 +31,12 @@ function run_supervisor() {
 if [ "$( docker container inspect -f '{{.State.Status}}' hassio_supervisor )" == "running" ]; then
     echo "Restarting Supervisor"
     docker rm -f hassio_supervisor
-    init_dbus
-    init_udev
-    init_os_agent
     cleanup_lastboot
     run_supervisor
-    stop_docker
-
 else
     echo "Starting Supervisor"
     docker system prune -f
     cleanup_lastboot
     cleanup_docker
-    init_dbus
-    init_udev
-    init_os_agent
     run_supervisor
-    stop_docker
 fi

apps/version

@@ -1 +1 @@
-3
+4

common/install/docker

@@ -6,8 +6,7 @@ apt-get update
 apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
-    gnupg \
-    systemd-journal-remote
+    gnupg
 
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg

common/install/versions.json

@@ -1,5 +1,5 @@
 {
-    "cosign": "2.4.0",
-    "os-agent": "1.6.0",
+    "cosign": "2.5.3",
+    "os-agent": "1.8.1",
     "nvm": "0.40.1"
 }

common/rootfs_supervisor/etc/supervisor_scripts/common

@@ -2,109 +2,15 @@
 
 set -e
 
-VERSION_INFO=$(curl -s https://version.home-assistant.io/dev.json)
+VERSION_INFO=$(curl -sf https://version.home-assistant.io/dev.json)
 HA_ARCH=$(get_arch ha)
 QEMU_ARCH=$(get_arch qemu)
-DOCKER_TIMEOUT=30
 SUPERVISOR_SHARE="/mnt/supervisor"
 
 export SUPERVISOR_VERSION="$(echo ${VERSION_INFO} | jq -e -r '.supervisor')"
 export SUPERVISOR_IMAGE="$(sed "s/{arch}/${HA_ARCH}/g" <<< "$(echo ${VERSION_INFO} | jq -e -r '.images.supervisor')")"
 
 
-function start_systemd_journald() {
-    if ! [ -e /var/log/journal ]; then
-        echo "Creating systemd-journald tmpfiles."
-        sudo systemd-tmpfiles --create --prefix /var/log/journal
-    fi
-
-    if ! pgrep -f systemd-journald; then
-        echo "Starting systemd-journald."
-        sudo /usr/lib/systemd/systemd-journald &
-    fi
-
-    if ! pgrep -f systemd-journal-gatewayd; then
-        echo "Starting systemd-journal-gatewayd."
-        sudo /usr/lib/systemd/systemd-journal-gatewayd --system 2> /dev/null &
-    fi
-}
-
-
-function start_docker() {
-    local start_time
-    local current_time
-    local elapsed_time
-
-    if grep -q 'microsoft-standard\|standard-WSL' /proc/version; then
-        # The docker daemon does not start when running WSL2 without adjusting iptables
-        sudo update-alternatives --set iptables /usr/sbin/iptables-legacy || echo "Fails adjust iptables"
-        sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || echo "Fails adjust ip6tables"
-    fi
-
-    echo "Starting docker."
-    if stat -f -c %T /var/lib/docker | grep -q overlayfs; then
-        echo "Using \"vfs\" storage driver. Bind mount /var/lib/docker to use the faster overlay2 driver."
-        storage_driver="vfs"
-    else
-        storage_driver="overlay2"
-    fi
-    sudo dockerd --storage-driver="${storage_driver}" > /dev/null 2>&1 &
-
-    echo "Waiting for Docker to initialize..."
-    socket_path="/var/run/docker.sock"
-
-    start_time=$(date +%s)
-    while [[ ! -S "$socket_path" || ! -r "$socket_path" ]]; do
-        current_time=$(date +%s)
-        elapsed_time=$((current_time - start_time))
-
-        if [[ $elapsed_time -ge $DOCKER_TIMEOUT ]]; then
-            echo "Timeout: Docker did not start within $DOCKER_TIMEOUT seconds."
-            exit 1
-        fi
-
-        sleep 1
-    done
-
-    # It seems that dockerd messes with the terminal somehow, carriage returns (\r)
-    # seem not to function properly. Resetting the terminal fixes this.
-    stty sane
-    echo "Docker was initialized"
-}
-
-function stop_docker() {
-    local start_time
-    local current_time
-    local elapsed_time
-
-    # Check if docker pid is there
-    if [ ! -f /var/run/docker.pid ]; then
-        echo "No pid found for docker"
-        return 0
-    fi
-
-    echo "Stopping Docker daemon..."
-    docker_pid=$(cat /var/run/docker.pid)
-    echo "Sending SIGTERM to docker daemon $docker_pid"
-    if sudo kill -0 "$docker_pid" 2> /dev/null; then
-        start_time="$(date +%s)"
-
-        # Now wait for it to exit
-        sudo kill "$docker_pid"
-        while sudo kill -0 "$docker_pid" 2> /dev/null; do
-            current_time=$(date +%s)
-            elapsed_time=$((current_time - start_time))
-            if [[ $elapsed_time -ge $DOCKER_TIMEOUT ]]; then
-                echo "Timeout while waiting for Docker daemon to exit"
-                exit 1
-            fi
-            sleep 1
-        done
-    else
-        echo "Unable to find Docker daemon process"
-    fi
-}
-
 function cleanup_lastboot() {
     if [[ -f /mnt/supervisor/config.json ]]; then
         echo "Cleaning up last boot"
@@ -122,52 +28,6 @@ function cleanup_docker() {
     fi
 }
 
-function init_dbus() {
-    if pgrep dbus-daemon; then
-        echo "Dbus is running"
-        return 0
-    fi
-
-    echo "Startup dbus"
-    sudo mkdir -p /var/lib/dbus
-    sudo cp -f /etc/machine-id /var/lib/dbus/machine-id
-
-    # cleanups
-    sudo mkdir -p /run/dbus
-    sudo rm -f /run/dbus/pid
-
-    # run
-    sudo dbus-daemon --system --print-address
-}
-
-
-function init_udev() {
-    if pgrep systemd-udevd; then
-        echo "udev is running"
-        return 0
-    fi
-
-    echo "Startup udev"
-
-    # cleanups
-    sudo mkdir -p /run/udev
-
-    # run
-    sudo /lib/systemd/systemd-udevd --daemon
-    sleep 3
-    sudo udevadm trigger && sudo udevadm settle
-}
-
-
-function init_os_agent() {
-    if pgrep os-agent; then
-        echo "os-agent is running"
-        return 0
-    fi
-
-    sudo os-agent &
-}
-
 
 validate_devcontainer() {
     local devcontainer_type="$1"

common/rootfs_supervisor/usr/bin/supervisor_bootstrap

@@ -2,9 +2,6 @@
 
 set -e
 
-sudo rm /etc/machine-id
-sudo dbus-uuidgen --ensure=/etc/machine-id
-
 if grep -q 'microsoft-standard\|standard-WSL' /proc/version; then
     # The docker daemon does not start when running WSL2 without adjusting iptables
     sudo update-alternatives --set iptables /usr/sbin/iptables-legacy || echo "Fails adjust iptables"

supervisor/Dockerfile

@@ -19,9 +19,11 @@ RUN \
 RUN \
     apt-get update \
     && apt-get install -y --no-install-recommends \
-        dbus-daemon \
+        dbus-broker \
         network-manager \
         libpulse0 \
+        systemd-journal-remote \
+        systemd-resolved \
         xz-utils
 
 COPY ./common/rootfs /
@@ -49,3 +51,29 @@ RUN uv venv $VIRTUAL_ENV
 # Setting PATH here isn't enough, VSCode rewites it after initial scripts finish
 # Must also be set in remoteEnv in devcontainer.json
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
+# Configure systemd as init system
+USER root
+
+# Remove the fake systemctl and policy-rc.d that the base image ships
+# to prevent service management during build. We need the real systemctl
+# since this container runs systemd as PID 1.
+RUN rm -f /usr/local/bin/systemctl /usr/sbin/policy-rc.d
+
+# Mask unnecessary systemd units to make sure they don't interfere
+RUN systemctl mask \
+    systemd-networkd.service \
+    systemd-networkd-wait-online.service \
+    getty@.service \
+    serial-getty@.service
+
+# Create persistent journal directory so journald stores logs on disk
+RUN systemd-tmpfiles --create --prefix /var/log/journal
+
+# Enable services which are otherwise disabled by default
+RUN systemctl enable \
+    haos-agent \
+    systemd-journal-gatewayd
+
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]

supervisor/rootfs/usr/bin/supervisor_run

@@ -23,10 +23,6 @@ function get_build_from() {
 
 echo "Run Supervisor"
 
-start_systemd_journald
-start_docker
-trap "stop_docker" ERR
-
 function build_supervisor() {
     local base_image
     base_image="$(get_build_from)"
@@ -71,22 +67,13 @@ function run_supervisor() {
 if [ "$( docker container inspect -f '{{.State.Status}}' hassio_supervisor )" == "running" ]; then
     echo "Restarting Supervisor"
     docker rm -f hassio_supervisor
-    init_dbus
-    init_udev
-    init_os_agent
     cleanup_lastboot
     run_supervisor
-    stop_docker
-
 else
     echo "Starting Supervisor"
     docker system prune -f
     build_supervisor
     cleanup_lastboot
     cleanup_docker
-    init_dbus
-    init_udev
-    init_os_agent
     run_supervisor
-    stop_docker
 fi