[systemd-devel] rkt container engine fetch user/perm patterns

[Lennart Poettering]

On Tue, 31.05.16 16:05, Brandon Philips (brandon at ifup.co) wrote:

> Hello Everyone-
> 
> The rkt container engine wants to run with different permissions pre-start
> and start. In pre-start it needs to fetch/download the container image
> which is an unprivileged operation. In start it needs admin level
> permissions to start the container stage1 (e.g. systemd-nspawn) and mount
> the root overlayfs.
> 
> One way of accomplishing this is:
> 
> ExecStartPre=/usr/bin/su rktfetchuser -c /usr/bin/rkt fetch
> quay.io/coreos/etcd blah blah
> ExecStart=/usr/bin/rkt run $(COREOS_VERSIONS_ETCD_FULL) blah blah
> 
> The other way would be to create a fetch service and a run service but that
> is sort of clunky for users to configure.
> 
> Are there other mechanisms to not require the use of wrappers like su?

The inverse exists with PermissionsStartOnly= already, and I am open
to extending this, but I am not entirely sure how. Do you have a
suggestion how that could look like in syntax?

That said, you can of course achieve the right thing by having a
second service that does the fetching of Type=oneshot and then add a
Requires= dep from the main service to it.

BTW: you really should "runuser" instead of "su" here I think. Both
are available in util-linux.

Lennart

-- 
Lennart Poettering, Red Hat