LISTSERV 16.5 - XROOTD-DEV Archives

Hi @amadio thanks for reviewing!

If I understand correctly, you'd like to preserve these two:

1. `xrootd` and `cmsd` are started via systemd running inside the container. I guess you a referring specifically to: https://github.com/xrootd/xrootd/blob/8f0a3ebf6b14c65c57667d07c0c624f3d4b215a8/docker/xrd-docker#L128-L130
2. I understand that you prefer to keep the dependencies and build implementations in one place (the RPM spec).

Regarding 1:
> Note that our tests already run unprivileged when run via the xrootd-docker script, as the servers are started by systemd

Sorry, I'm confused and may have missed something here. I gave it a try on a system and noticed that when launching it via `xrd-docker`, the container was being launched in privileged mode. This seems consistent with the way xrd-docker is launching things: https://github.com/xrootd/xrootd/blob/8f0a3ebf6b14c65c57667d07c0c624f3d4b215a8/docker/xrd-docker#L118
Therefore I don't understand how you can get unprivileged mode when starting things under systemd (unless you meant that you're using podman)?

As far as I can see, the reason the `--privileged` flag is required is entirely due to systemd running inside the container.
Therefore, I don't think we can have both unprivileged containers, and systemd inside the container starting xrootd and cmsd. Podman of course will achieve this, but this isn't a general solution, as for instance you will still require to run as privileged when using anything else other than podman (such as container orchestrators like Kubernetes).

Regarding 2:
I think this might be doable indeed (provided point 1 above is resolved somehow).

I was hoping to find a general solution that will allow to run xrootd in unprivileged mode that works for any environment such as k8s, docker. But I don't see a technical solution other than to drop the requirement to have systemd start the daemons inside the container. Do you have any ideas about this?

Thanks!

--
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/pull/2066#issuecomment-1663514741
You are receiving this because you are subscribed to this thread.

Message ID: <[log in to unmask]>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1