[systemd-devel] rkt container engine fetch user/perm patterns
David Timothy Strauss
david at davidstrauss.net
Tue May 31 16:11:49 UTC 2016
There could be a (potentially socket-activated) service that handles
requests for image downloads.
On Tue, May 31, 2016, 11:06 Brandon Philips <brandon at ifup.co> wrote:
> Hello Everyone-
>
> The rkt container engine wants to run with different permissions pre-start
> and start. In pre-start it needs to fetch/download the container image
> which is an unprivileged operation. In start it needs admin level
> permissions to start the container stage1 (e.g. systemd-nspawn) and mount
> the root overlayfs.
>
> One way of accomplishing this is:
>
> ExecStartPre=/usr/bin/su rktfetchuser -c /usr/bin/rkt fetch
> quay.io/coreos/etcd blah blah
> ExecStart=/usr/bin/rkt run $(COREOS_VERSIONS_ETCD_FULL) blah blah
>
> The other way would be to create a fetch service and a run service but
> that is sort of clunky for users to configure.
>
> Are there other mechanisms to not require the use of wrappers like su?
>
> Thank You,
>
> Brandon
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160531/fce9b9f8/attachment.html>
More information about the systemd-devel
mailing list