[systemd-devel] rkt container engine fetch user/perm patterns
Brandon Philips
brandon at ifup.co
Tue May 31 16:05:58 UTC 2016
Hello Everyone-
The rkt container engine wants to run with different permissions pre-start
and start. In pre-start it needs to fetch/download the container image
which is an unprivileged operation. In start it needs admin level
permissions to start the container stage1 (e.g. systemd-nspawn) and mount
the root overlayfs.
One way of accomplishing this is:
ExecStartPre=/usr/bin/su rktfetchuser -c /usr/bin/rkt fetch
quay.io/coreos/etcd blah blah
ExecStart=/usr/bin/rkt run $(COREOS_VERSIONS_ETCD_FULL) blah blah
The other way would be to create a fetch service and a run service but that
is sort of clunky for users to configure.
Are there other mechanisms to not require the use of wrappers like su?
Thank You,
Brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160531/bbfc2def/attachment.html>
More information about the systemd-devel
mailing list