Use a systemd system service to allow rootless podman to run privileged OCI hooks #20113
eriksjolund
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
A half-baked idea. Actually, the idea is still very sketchy and far from being even half-baked.
Maybe it would be possible to
podman
be started from a systemd system service withUser=
so thatcrun
inherits some file descriptors that were opened by the systemd system manager (originating from OpenFile= configuration).crun
communicates with a rootful process by reading and writing to these file descriptors.ExecStartPost=
with a path that has a+
prepended to it so that the process is running as root. (Alternatively it could be started fromExecStartPre=
in the same way). The rootful process can open the "communication" files and read and write to the files to communicate withcrun
.crun
to perform some privileged actions.Use case
This functionality would for example be useful to the OCI hook oci-seccomp-bpf-hook that currently is not usable for rootless Podman.
Beta Was this translation helpful? Give feedback.
All reactions