stage1: execute pre-start/post-stop hooks as privileged #3844
Conversation
Even if we run the container as an unprivileged user. Usually, pre-start and post-stop are used to initialize or shut down a service, and very often this needs privileges.
|
Sounds good but:
|
|
I'll add a test |
|
Apparently this requires #3830 because pre-start hooks don't work with iottymux without it. However the test that fails in Semaphore passes on my laptop 🤔 |
|
There's currently a bug when using iottymux with pre-start hooks, it involves a systemd bug I tried to fix in systemd/systemd#7072 but it needs rework to be merged upstream. That's why the test was failing on Semaphore and passing on my laptop (I was using stage1-src with the systemd fix included). I'll rework my test code so I only add pre-start hooks for that particular test. |
95d04d9 to
9f0437c
Compare
tests/rkt_run_test.go
Outdated
|
|
||
| prestartManifestFile := "prestart-manifest.json" | ||
| if err := ioutil.WriteFile(prestartManifestFile, []byte(prestartManifestStr), 0600); err != nil { | ||
| t.Fatalf("Cannot write noapp manifest: %v", err) |
There was a problem hiding this comment.
copy/paste: this is not a "noapp" manifest
tests/rkt_run_test.go
Outdated
| ctx := testutils.NewRktRunCtx() | ||
| defer ctx.Cleanup() | ||
|
|
||
| rktCmd := fmt.Sprintf("%s --insecure-options=image run --mds-register=false %s", ctx.Cmd(), prestartImage) |
There was a problem hiding this comment.
mds-register is false by default. Could be removed
Does it mean we should not merge this PR until rkt uses a systemd version with a fix? |
It tests that the pre-start hook runs and that it runs as root even when the app itself runs as an unprivileged user.
9f0437c to
01b7478
Compare
No, I changed the tests so we only add a pre-start hook in the new test. Before it was adding the pre-start hook to the default inspect image and causing tests that run with I captured the comment in a new issue #3861 |
Even if we run the container as an unprivileged user.
Usually, pre-start and post-stop are used to initialize or shut down a
service, and very often this needs privileges.