FS#74558 - [minio] optionally set capabilities for unprivileged containers
Attached to Project:
Community Packages
Opened by Stuart Cardall (itoffshore) - Monday, 25 April 2022, 20:11 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Friday, 30 December 2022, 08:57 GMT
Opened by Stuart Cardall (itoffshore) - Monday, 25 April 2022, 20:11 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Friday, 30 December 2022, 08:57 GMT
|
Details
Description: Improvement: optionally set capabilities for
unprivileged containers (in post-install)
Additional info: When minio is run in an unprivileged LXD container the following needs to be set to run the service as the unprivileged minio user: setcap cap_net_bind_service=+ep /usr/bin/minio this could be set in a post-install script if a uid mapping is detected: ------------------------------------------------------------------------ #!/bin/sh uid_map=$(head -1 /proc/self/uid_map) host_uid=$(echo $uid_map | awk '{print $1}') ctr_uid=$(echo $uid_map | awk '{print $2}') if [ $host_uid -ne $ctr_uid ]; then setcap cap_net_bind_service=+ep /usr/bin/minio fi -------------------------------------------------- I've attached a screenshot showing the uid_map of an Arch LXD container & a bare metal Arch system. |
This task depends upon
Closed by Sven-Hendrik Haase (Svenstaro)
Friday, 30 December 2022, 08:57 GMT
Reason for closing: No response
Additional comments about closing: Feel free to request to reopen if there's still interest from your side. I want to make sure this change makes sense for the distribution but currently I don't really think this should be done in the suggested way.
Friday, 30 December 2022, 08:57 GMT
Reason for closing: No response
Additional comments about closing: Feel free to request to reopen if there's still interest from your side. I want to make sure this change makes sense for the distribution but currently I don't really think this should be done in the suggested way.
I'll leave this open for discussion, maybe I'm misunderstanding something here.