On 09/06/2016 02:16 PM, Muayyad AlSadi
systemd in a container would just run journald as well as systemd,
not much more unless you tell it to.
I only want two processes
confd and my application (apache or php-fpm or node .
or uwsgi ...)
The role of confd is to watch etcd/consul and update
config when needed.
I guess systemd is overkill for such simple thing (I
don't want ttys, crons, dbus, journald....)
Having journald would allow you to catch messages that httpd writes
to syslog, but fine.
Apache is a well-established and it have a way to
drop privileges but this is not the case with "node ."
I'm not sure about k8s no new priv.
Ex. I want confd as root and node as app.
I guess apache does not have nnp option.
A couple of
things. 1 you could use real systemd rather then using some
other init system.
Secondly and perhaps conflicting, is why not run apache as non
start rather then dropping
privs. Apache will run perfectly fine without requiring root
Also you could set the NO_NEW_PRIVS
right in docker/k8s.
On 09/06/2016 01:46 PM, Muayyad AlSadi wrote:
> Typical fictional unicorn containers should have one
> On practice it's actually processes of one concern ex.
> One issue is that your entry point /start.sh should exec
> the shell (so that application process would recieve
> Since start.sh is pid 1 it has the responsibility to
> For this we can use yelp's dumb-init (which is almost to
be pushed to
> official repo and already in copr)
> Typically our start.sh start confd in background using
> Then I exec my application but I would like to drop
> I used exec sudo or exec su but it wont replace the
> I wrote a simple application that drop groups ,
> and user
> Not only that but also it can optionally set
> PR_SET_NO_NEW_PRIVS with prctl
> So that it will never get more privileges even with
> What do you think?