Giter Club home page Giter Club logo

Comments (8)

miekg avatar miekg commented on May 27, 2024

Chowning a file/directory in Linux needs the CAP_CHOWN capability, so not full root.

I still believe creating system units requires root, but what about user units? If that can be done then we would need a few code changes and only the CAP_CHOWN capability (provided we can create the directories)

Oh user services, require a user to login into the system, https://superuser.com/questions/853717/what-is-the-difference-between-systemds-user-and-system-services
(trying to dig up some more official docs)

from systemk.

miekg avatar miekg commented on May 27, 2024

Potentially we can run a user systemd regardless - would slightly be more involved, but not rocket science. This would imply we would run all pods using the same user - the user for which we started the systemd user process (i.e. systemk user). Then we're left with only the CAP_CHOWN capability.

Note this also means you can't bind to a low port, etc. etc. So you may not want to this a default, but it would be good to understand that this is very much a possibly in more constrained environments.

from systemk.

miekg avatar miekg commented on May 27, 2024

hmm, it looks like its just: su $USER systemd --user and changing systemk's init (or whatever) to use the user version (this is a boolean on the API, right now it just defaults to 'use the system one').
This can be a PreExecStart in the service.file that starts systemk, like here: https://github.com/miekg/debian/blob/master/systemk/debian/systemk.service
Together with the CAP_CHOWN and systemk's -d flag... that should be it

from systemk.

miekg avatar miekg commented on May 27, 2024

See #64 for how this would look, still requires capabilities, but those are dealt with outside of this code base (although we can provide an example unit file)

from systemk.

miekg avatar miekg commented on May 27, 2024

see #86 it cannot be done.

from systemk.

erwbgy avatar erwbgy commented on May 27, 2024

If the issue is with BindPaths not working, do any of the parameters mentioned in "Automatic creation of directories for a service" at https://www.redhat.com/sysadmin/systemd-secure-services help?

from systemk.

miekg avatar miekg commented on May 27, 2024

cc @nicollet

from systemk.

miekg avatar miekg commented on May 27, 2024

@erwbgy sadly no, not for this use case. Note that the example in that section also uses sudo

from systemk.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.