-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
run root-less? #30
Comments
The if the euid is 0, otherwise skip the installation step (will fail anyway, but that's a fatal error) See: #30 Signed-off-by: Miek Gieben <miek@miek.nl>
The if the euid is 0, otherwise skip the installation step (will fail anyway, but that's a fatal error) See: #30 Signed-off-by: Miek Gieben <miek@miek.nl>
Chowning a file/directory in Linux needs the CAP_CHOWN capability, so not full root. I still believe creating system units requires root, but what about user units? If that can be done then we would need a few code changes and only the CAP_CHOWN capability (provided we can create the directories) Oh user services, require a user to login into the system, https://superuser.com/questions/853717/what-is-the-difference-between-systemds-user-and-system-services |
Potentially we can run a user systemd regardless - would slightly be more involved, but not rocket science. This would imply we would run all pods using the same user - the user for which we started the systemd user process (i.e. Note this also means you can't bind to a low port, etc. etc. So you may not want to this a default, but it would be good to understand that this is very much a possibly in more constrained environments. |
hmm, it looks like its just: |
See #64 for how this would look, still requires capabilities, but those are dealt with outside of this code base (although we can provide an example unit file) |
see #86 it cannot be done. |
If the issue is with BindPaths not working, do any of the parameters mentioned in "Automatic creation of directories for a service" at https://www.redhat.com/sysadmin/systemd-secure-services help? |
cc @nicollet |
@erwbgy sadly no, not for this use case. Note that the example in that section also uses |
Can we run as non-root? Potentially letting systemd doing all the heavy lifting?
Of course being able to send arbitrary unit to systemd is indistinguishable from actually being root... But it might benefit some use cases.
It could very much turn out this is not possbile.
The text was updated successfully, but these errors were encountered: