That's being said I would recommend real systemd for fat containers like freeipa
https://github.com/adelton/docker-freeipa IMHO dumb-init is meant to replace /start.sh (making it dumb-init /start.sh) not to replace systemd. My quesion is oneway.c properly written and safe and do what I expect it to do? On Tue, Sep 6, 2016, 9:22 PM Daniel J Walsh <dwa...@redhat.com> wrote: > > > On 09/06/2016 02:16 PM, Muayyad AlSadi wrote: > > I only want two processes > > confd and my application (apache or php-fpm or node . or uwsgi ...) > > The role of confd is to watch etcd/consul and update config when needed. > > I guess systemd is overkill for such simple thing (I don't want ttys, > crons, dbus, journald....) > > systemd in a container would just run journald as well as systemd, not > much more unless you tell it to. > Having journald would allow you to catch messages that httpd writes to > syslog, but fine. > > Apache is a well-established and it have a way to drop privileges but this > is not the case with "node ." > > I'm not sure about k8s no new priv. > Ex. I want confd as root and node as app. > > I guess apache does not have nnp option. > > On Tue, Sep 6, 2016, 9:05 PM Daniel J Walsh <dwa...@redhat.com> wrote: > >> A couple of things. 1 you could use real systemd rather then using some >> other init system. >> >> Secondly and perhaps conflicting, is why not run apache as non root to >> start rather then dropping >> >> privs. Apache will run perfectly fine without requiring root privs. >> Also you could set the NO_NEW_PRIVS >> >> right in docker/k8s. >> >> >> On 09/06/2016 01:46 PM, Muayyad AlSadi wrote: >> > >> > Hi, >> > >> > Typical fictional unicorn containers should have one process >> > >> > On practice it's actually processes of one concern ex. Apache >> > >> > One issue is that your entry point /start.sh should exec to replace >> > the shell (so that application process would recieve signals) >> > >> > Since start.sh is pid 1 it has the responsibility to handle zombies. >> > For this we can use yelp's dumb-init (which is almost to be pushed to >> > official repo and already in copr) >> > >> > https://github.com/Yelp/dumb-init >> > >> > Typically our start.sh start confd in background using nohup >> > >> > Then I exec my application but I would like to drop privileges, first >> > I used exec sudo or exec su but it wont replace the proces. >> > >> > I wrote a simple application that drop groups , supplementary groups >> > and user >> > >> > Not only that but also it can optionally set >> > PR_SET_NO_NEW_PRIVS with prctl >> > So that it will never get more privileges even with sudo/su. >> > >> > What do you think? >> > >> > https://github.com/muayyad-alsadi/oneway/blob/master/README.md >> > >> >> >
