On Tue, 31.05.16 16:05, Brandon Philips (bran...@ifup.co) wrote: > Hello Everyone- > > The rkt container engine wants to run with different permissions pre-start > and start. In pre-start it needs to fetch/download the container image > which is an unprivileged operation. In start it needs admin level > permissions to start the container stage1 (e.g. systemd-nspawn) and mount > the root overlayfs. > > One way of accomplishing this is: > > ExecStartPre=/usr/bin/su rktfetchuser -c /usr/bin/rkt fetch > quay.io/coreos/etcd blah blah > ExecStart=/usr/bin/rkt run $(COREOS_VERSIONS_ETCD_FULL) blah blah > > The other way would be to create a fetch service and a run service but that > is sort of clunky for users to configure. > > Are there other mechanisms to not require the use of wrappers like su?
The inverse exists with PermissionsStartOnly= already, and I am open to extending this, but I am not entirely sure how. Do you have a suggestion how that could look like in syntax? That said, you can of course achieve the right thing by having a second service that does the fetching of Type=oneshot and then add a Requires= dep from the main service to it. BTW: you really should "runuser" instead of "su" here I think. Both are available in util-linux. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
