Using --preserve-fds and socket activation at the same time #11381
eriksjolund
started this conversation in
General
Replies: 2 comments 7 replies
-
Thanks for reaching out, @eriksjolund!
|
Beta Was this translation helpful? Give feedback.
7 replies
-
Maybe something like this would work: This is just a work-in-progress first attempt. I will need to test it. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
It seems using
--preserve-fds
together withLISTEN_FDS
(i.e. socket activation) is not supported:podman/libpod/oci_conmon_linux.go
Line 1054 in f947ea2
I'm thinking that there could be a valid use case for using both at the same time:
Use case
Assume that the subordinate UID (that is mapped to the container UID=1000) has no read access to the files file1 and file2 but the user's normal UID has read access to the files.
One way to provide read access to the files could be to open
them beforehand with
/bin/bash
and then provide--preserve-fds 2
topodman run
in the systemd user service:
Here is a sketch
I deliberately left out some of the command-line arguments as they are not really relevant to the discussion. (Probably something like this should also be added:
--cidfile=%t/%n.ctr-id --cgroups=no-conmon --sdnotify=conmon --replace
).Do you think this is a valid use case?
Beta Was this translation helpful? Give feedback.
All reactions