I was hoping to find a general solution that will allow to run xrootd in unprivileged mode that works for any environment such as k8s, docker. But I don't see a technical solution other than to drop the requirement to have systemd start the daemons inside the container. Do you have any ideas about this?

We just want systemd to start the xrootd service for testing and CI, I'm fine with creating a container that can run unprivileged, but the container built by xrd-docker can be run unprivileged like this, for example, so I don't think a lot is needed to allow what you want:

$ docker run --ulimit nofile=262144:262144 -u xrootd:xrootd --network=host xrootd:alma8 xrootd -c /etc/xrootd/xrootd-srv2.cfg

With 5.6.2 you will not need --ulimit nofile=262144:262144 anymore.

You can test that the server runs ok with xrdfs localhost:1099 query config version. So I think that the container the way it is built is fine, you just need to change the default configurations, as the ones shipping inside are not suitable for running as you'd like.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/pull/2066/c1663555051@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/pull/2066#issuecomment-1663555051", "url": "https://github.com/xrootd/xrootd/pull/2066#issuecomment-1663555051", "name": "View Pull Request" }, "description": "View this Pull Request on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1