podman-OpenFile demo: using `OpenFile=/home/test/sockdir/sock` to give a container process access to a unix socket #18126

eriksjolund · 2023-04-09T18:46:35Z

eriksjolund
Apr 9, 2023

The systemd directive OpenFile= was introduced in systemd 253 (released 15 February 2023).

I created a demo

https://github.com/eriksjolund/podman-OpenFile

that deals with this situation:

Problem: A container process does not have file permissions to access the UNIX socket that a web server listens on.

Solution: Start the container with

systemd-run
  --quiet \
  --property OpenFile=$HOME/sockdir/sock:fdnametest \
  --user \
  --collect \
  --pipe \
  --wait \
  podman \
    run \
    --rm \
    --user 65534:65534 \
    localhost/demo /demo http://localhost

so that systemd connects to the UNIX socket. The container process inherits the established socket.

Previous discussion: #17789

rhatdan · 2023-04-10T20:09:35Z

rhatdan
Apr 10, 2023
Maintainer

You need to translate this into a Blog.

I would think SELinux would block this access, BTW.

1 reply

eriksjolund Apr 21, 2023
Author

Good idea, I should translate it to a blog.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

podman-OpenFile demo: using `OpenFile=/home/test/sockdir/sock` to give a container process access to a unix socket #18126

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

podman-OpenFile demo: using OpenFile=/home/test/sockdir/sock to give a container process access to a unix socket #18126

eriksjolund Apr 9, 2023

Replies: 1 comment · 1 reply

rhatdan Apr 10, 2023 Maintainer

eriksjolund Apr 21, 2023 Author

podman-OpenFile demo: using `OpenFile=/home/test/sockdir/sock` to give a container process access to a unix socket #18126

eriksjolund
Apr 9, 2023

Replies: 1 comment 1 reply

rhatdan
Apr 10, 2023
Maintainer

eriksjolund Apr 21, 2023
Author