[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

From: Giuseppe Scrivano <gscrivan redhat com>
To: Tobias Florek <atomic ibotty net>
Cc: Lukáš Nykrýn <lnykryn redhat com>, atomic-devel projectatomic io, Lennart Poettering <lennart poettering net>, Alexander Larsson <alexl redhat com>
Subject: Re: [atomic-devel] systemd as pid 1 in an unprivileged container.
Date: Thu, 13 Oct 2016 15:26:55 +0200

Hi,

Tobias Florek <atomic ibotty net> writes:

> now that systemd conference has been a success, I wanted to ask whether
> you had a chance to look into it?

I was playing around with bubblewrap and systemd.  I've submitted some
patches for systemd that got merged:

https://github.com/systemd/systemd/pull/4280

they enable systemd to work without CAP_AUDIT[READ|WRITE] and not fail
when setgroups is disabled (can be done through /proc/PID/setgroups).

I have more patches to bubblewrap:

https://github.com/projectatomic/bubblewrap/pull/101

that are needed to run systemd in it.  I think the overall design, and
that some caps are left only when in a new  user namespace is safe.
Anyway, they require a very accurate review, as a bug there can open the
door to really bad things.

Regards,
Giuseppe

Follow-Ups:
- Re: [atomic-devel] systemd as pid 1 in an unprivileged container.
  - From: Alexander Larsson
- Re: [atomic-devel] systemd as pid 1 in an unprivileged container.
  - From: Tob

References:
- Re: [atomic-devel] systemd as pid 1 in an unprivileged container.
  - From: Tobias Florek

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]