There could be a (potentially socket-activated) service that handles requests for image downloads.
On Tue, May 31, 2016, 11:06 Brandon Philips <bran...@ifup.co> wrote: > Hello Everyone- > > The rkt container engine wants to run with different permissions pre-start > and start. In pre-start it needs to fetch/download the container image > which is an unprivileged operation. In start it needs admin level > permissions to start the container stage1 (e.g. systemd-nspawn) and mount > the root overlayfs. > > One way of accomplishing this is: > > ExecStartPre=/usr/bin/su rktfetchuser -c /usr/bin/rkt fetch > quay.io/coreos/etcd blah blah > ExecStart=/usr/bin/rkt run $(COREOS_VERSIONS_ETCD_FULL) blah blah > > The other way would be to create a fetch service and a run service but > that is sort of clunky for users to configure. > > Are there other mechanisms to not require the use of wrappers like su? > > Thank You, > > Brandon > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel >
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel