制作镜像时启动服务出错：

invoke-rc.d: policy-rc.d denied execution of start.

1、大多数发行版不会包含 /usr/sbin/policy-rc.d 文件，因为这个文件是用于帮助管理员控制哪些包可以在安装、卸载、更新时执行脚本。

而在 docker 容器中，大多数 apt-get install 发生在 docker build 阶段，这个阶段如果去启动/停止服务，可能因为一些意外而无法成功并且也没有必要。大多数服务都是在 docker run 或 docker start 时启动/停止。

如果你一定要启动/停止服务，可以将 /usr/sbin/policy-rc.d 文件中的返回值改为0。

0 - action allowed
1 - unknown action (therefore, undefined policy)
100 - unknown initscript id
101 - action forbidden by policy
102 - subsystem error
103 - syntax error
104 - [reserved]
105 - behaviour uncertain, policy undefined.
106 - action not allowed. Use the returned fallback actions
(which are implied to be “allowed”) instead.

参考：https://askubuntu.com/questions/365911/why-the-services-do-not-start-at-installation

2、博客：https://stackoverflow.com/questions/46247032/how-to-solve-invoke-rc-d-policy-rc-d-denied-execution-of-start-when-building

Here is a good post which tries to root cause the issue you are facing.

Shorter way:

    RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d should resolve your issue OR

    If that doesn't resolve the issue, try running your docker container with privileged option. Like this, docker run --privileged -d -ti DOCKER_IMAGE:TAG

Ideally, I would not recommend running container with privileged option unless its a test bed container. The reason being running a docker container with privileged gives all capabilities to the container, and it also lifts all the limitations enforced. In other words, the container can then do almost everything that the host can do. But this is not a good practice. This defeats the docker purpose of isolating from host machine.

The ideal way to do this is to set capabilities of your docker container based on what you want to achieve. Googling this should help you out to provide appropriate capability for your docker container.

即在Dockerfile中加入

RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d