Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-10-19 Thread Tob
Hi, thank you for working on it. So the plan to run systemd with a positive uid is to wrap it in bubblewrap? Will that work with docker (or OCI)? Cheers, Tobias Florek signature.asc Description: signature

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-10-19 Thread Alexander Larsson
On tor, 2016-10-13 at 15:26 +0200, Giuseppe Scrivano wrote: > I have more patches to bubblewrap: > > https://github.com/projectatomic/bubblewrap/pull/101 > > that are needed to run systemd in it.  I think the overall design, > and > that some caps are left only when in a new  user namespace is s

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-10-13 Thread Giuseppe Scrivano
Hi Tob, Tob writes: > thank you for working on it. So the plan to run systemd with a positive > uid is to wrap it in bubblewrap? Will that work with docker (or OCI)? it works with Docker and runc as well, they leave more capabilities in the container than what bubblewrap does (with my WIP patch

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-10-13 Thread Giuseppe Scrivano
Hi, Tobias Florek writes: > now that systemd conference has been a success, I wanted to ask whether > you had a chance to look into it? I was playing around with bubblewrap and systemd. I've submitted some patches for systemd that got merged: https://github.com/systemd/systemd/pull/4280 they

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-10-12 Thread Tobias Florek
Hi, >>> I think we need to discuss this with the systemd team. We are currently >>> looking into running non privileged containers as a user launched >>> at boot time using systemd. >>> >>> Lukas what is the chances of getting a systemd that would run as a non >>> root user as pid 1 inside of a co

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-26 Thread Lukáš Nykrýn
Daniel J Walsh píše v Pá 16. 09. 2016 v 06:23 -0400: > > On 09/15/2016 06:42 AM, Tobias Florek wrote: > > > > Thank you for you heroic effort to make docker containers a better > > citizen! It is very appreciated. > > > > Is there some work underway (or planned) to run systemd with non-zero > >

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-16 Thread Daniel J Walsh
On 09/16/2016 07:04 AM, Lukáš Nykrýn wrote: > Daniel J Walsh píše v Pá 16. 09. 2016 v 06:23 -0400: >> On 09/15/2016 06:42 AM, Tobias Florek wrote: >>> Thank you for you heroic effort to make docker containers a better >>> citizen! It is very appreciated. >>> >>> Is there some work underway (or pl

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-16 Thread Daniel J Walsh
On 09/15/2016 06:42 AM, Tobias Florek wrote: > Thank you for you heroic effort to make docker containers a better > citizen! It is very appreciated. > > Is there some work underway (or planned) to run systemd with non-zero > pid? That is some additional isolation that would benefit e.g. Openshift

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-15 Thread Tobias Florek
Thank you for you heroic effort to make docker containers a better citizen! It is very appreciated. Is there some work underway (or planned) to run systemd with non-zero pid? That is some additional isolation that would benefit e.g. Openshift tremendously. Cheers, Tobias Florek signature.asc D

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-14 Thread Muayyad AlSadi
Here https://github.com/fedora-cloud/Fedora-Dockerfiles And here https://admin.fedoraproject.org/pkgdb/package/rpms/fedora-dockerfiles/ On Wed, Sep 14, 2016, 9:56 PM Daniel J Walsh wrote: > Sure, but I have no idea how to? > > On 09/14/2016 12:34 PM, Muayyad AlSadi wrote: > > would you please u

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-14 Thread Daniel J Walsh
Sure, but I have no idea how to? On 09/14/2016 12:34 PM, Muayyad AlSadi wrote: > would you please update this > > https://hub.docker.com/r/fedora/systemd-systemd/ > > > On Wed, Sep 14, 2016 at 4:14 PM, Muayyad AlSadi > wrote: > > Awesome! > > > On Wed, Sep 14, 20

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-14 Thread Muayyad AlSadi
would you please update this https://hub.docker.com/r/fedora/systemd-systemd/ On Wed, Sep 14, 2016 at 4:14 PM, Muayyad AlSadi wrote: > Awesome! > > On Wed, Sep 14, 2016, 3:51 PM Daniel J Walsh wrote: > >> >> On 09/14/2016 05:26 AM, Muayyad AlSadi wrote: >> >> Nice article. >> >> I would like

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-14 Thread Muayyad AlSadi
Awesome! On Wed, Sep 14, 2016, 3:51 PM Daniel J Walsh wrote: > > On 09/14/2016 05:26 AM, Muayyad AlSadi wrote: > > Nice article. > > I would like to stress that docker is intended to be process container not > system container. > > In adeal (aka. Fictional unicorn) containers you would have a si

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-14 Thread Daniel J Walsh
On 09/14/2016 05:26 AM, Muayyad AlSadi wrote: > > Nice article. > > I would like to stress that docker is intended to be process container > not system container. > > In adeal (aka. Fictional unicorn) containers you would have a single > process. Your start.sh should exec (to replace the shell) th

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-14 Thread Muayyad AlSadi
Nice article. I would like to stress that docker is intended to be process container not system container. In adeal (aka. Fictional unicorn) containers you would have a single process. Your start.sh should exec (to replace the shell) the application ("exec node ." Or "exec java -jar start.jar")

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-13 Thread Waldemar Augustyn
That is a titanic struggle. Thank you, thank you, thank you. On Tue, 13 Sep 2016 13:55:13 -0400 Daniel J Walsh wrote: > http://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/ > > >

[atomic-devel] systemd as pid 1 in an unprivileged container.

2016-09-13 Thread Daniel J Walsh
http://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/