Hi @amadio thanks for reviewing!

If I understand correctly, you'd like to preserve these two:

  1. xrootd and cmsd are started via systemd running inside the container. I guess you a referring specifically to: https://github.com/xrootd/xrootd/blob/8f0a3ebf6b14c65c57667d07c0c624f3d4b215a8/docker/xrd-docker#L128-L130
  2. I understand that you prefer to keep the dependencies and build implementations in one place (the RPM spec).

Regarding 1:

Note that our tests already run unprivileged when run via the xrootd-docker script, as the servers are started by systemd

Sorry, I'm confused and may have missed something here. I gave it a try on a system and noticed that when launching it via xrd-docker, the container was being launched in privileged mode. This seems consistent with the way xrd-docker is launching things: https://github.com/xrootd/xrootd/blob/8f0a3ebf6b14c65c57667d07c0c624f3d4b215a8/docker/xrd-docker#L118
Therefore I don't understand how you can get unprivileged mode when starting things under systemd (unless you meant that you're using podman)?

As far as I can see, the reason the --privileged flag is required is entirely due to systemd running inside the container.
Therefore, I don't think we can have both unprivileged containers, and systemd inside the container starting xrootd and cmsd. Podman of course will achieve this, but this isn't a general solution, as for instance you will still require to run as privileged when using anything else other than podman (such as container orchestrators like Kubernetes).

Regarding 2:
I think this might be doable indeed (provided point 1 above is resolved somehow).

I was hoping to find a general solution that will allow to run xrootd in unprivileged mode that works for any environment such as k8s, docker. But I don't see a technical solution other than to drop the requirement to have systemd start the daemons inside the container. Do you have any ideas about this?

Thanks!


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/pull/2066/c1663514741@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/2066#issuecomment-1663514741", "url": "https://github.com/xrootd/xrootd/pull/2066#issuecomment-1663514741", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1