[prev in list] [next in list] [prev in thread] [next in thread]
List: systemd-devel
Subject: Re: [systemd-devel] rkt container engine fetch user/perm patterns
From: Lennart Poettering <lennart () poettering ! net>
Date: 2016-05-31 16:39:55
Message-ID: 20160531163955.GA20747 () gardel-login
[Download RAW message or body]
On Tue, 31.05.16 16:05, Brandon Philips (brandon@ifup.co) wrote:
> Hello Everyone-
>
> The rkt container engine wants to run with different permissions pre-start
> and start. In pre-start it needs to fetch/download the container image
> which is an unprivileged operation. In start it needs admin level
> permissions to start the container stage1 (e.g. systemd-nspawn) and mount
> the root overlayfs.
>
> One way of accomplishing this is:
>
> ExecStartPre=/usr/bin/su rktfetchuser -c /usr/bin/rkt fetch
> quay.io/coreos/etcd blah blah
> ExecStart=/usr/bin/rkt run $(COREOS_VERSIONS_ETCD_FULL) blah blah
>
> The other way would be to create a fetch service and a run service but that
> is sort of clunky for users to configure.
>
> Are there other mechanisms to not require the use of wrappers like su?
The inverse exists with PermissionsStartOnly= already, and I am open
to extending this, but I am not entirely sure how. Do you have a
suggestion how that could look like in syntax?
That said, you can of course achieve the right thing by having a
second service that does the fetching of Type=oneshot and then add a
Requires= dep from the main service to it.
BTW: you really should "runuser" instead of "su" here I think. Both
are available in util-linux.
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic