Use a systemd system service to allow rootless podman to run privileged OCI hooks #20113
eriksjolund
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
A half-baked idea. Actually, the idea is still very sketchy and far from being even half-baked.
Maybe it would be possible to
podmanbe started from a systemd system service withUser=so thatcruninherits some file descriptors that were opened by the systemd system manager (originating from OpenFile= configuration).cruncommunicates with a rootful process by reading and writing to these file descriptors.ExecStartPost=with a path that has a+prepended to it so that the process is running as root. (Alternatively it could be started fromExecStartPre=in the same way). The rootful process can open the "communication" files and read and write to the files to communicate withcrun.crunto perform some privileged actions.Use case
This functionality would for example be useful to the OCI hook oci-seccomp-bpf-hook that currently is not usable for rootless Podman.
Beta Was this translation helpful? Give feedback.
All reactions