Hi @amadio thanks for reviewing!
If I understand correctly, you'd like to preserve these two:
xrootd
and cmsd
are started via systemd running inside the container. I guess you a referring specifically to: https://github.com/xrootd/xrootd/blob/8f0a3ebf6b14c65c57667d07c0c624f3d4b215a8/docker/xrd-docker#L128-L130Regarding 1:
Note that our tests already run unprivileged when run via the xrootd-docker script, as the servers are started by systemd
Sorry, I'm confused and may have missed something here. I gave it a try on a system and noticed that when launching it via xrd-docker
, the container was being launched in privileged mode. This seems consistent with the way xrd-docker is launching things: https://github.com/xrootd/xrootd/blob/8f0a3ebf6b14c65c57667d07c0c624f3d4b215a8/docker/xrd-docker#L118
Therefore I don't understand how you can get unprivileged mode when starting things under systemd (unless you meant that you're using podman)?
As far as I can see, the reason the --privileged
flag is required is entirely due to systemd running inside the container.
Therefore, I don't think we can have both unprivileged containers, and systemd inside the container starting xrootd and cmsd. Podman of course will achieve this, but this isn't a general solution, as for instance you will still require to run as privileged when using anything else other than podman (such as container orchestrators like Kubernetes).
Regarding 2:
I think this might be doable indeed (provided point 1 above is resolved somehow).
I was hoping to find a general solution that will allow to run xrootd in unprivileged mode that works for any environment such as k8s, docker. But I don't see a technical solution other than to drop the requirement to have systemd start the daemons inside the container. Do you have any ideas about this?
Thanks!
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1