podman-OpenFile demo: using OpenFile=/home/test/sockdir/sock to give a container process access to a unix socket

[eriksjolund]

The systemd directive OpenFile= was introduced in systemd 253 (released 15 February 2023).

I created a demo

https://github.com/eriksjolund/podman-OpenFile

that deals with this situation:

Problem: A container process does not have file permissions to access the UNIX socket that a web server listens on.

Solution: Start the container with

systemd-run
  --quiet \
  --property OpenFile=$HOME/sockdir/sock:fdnametest \
  --user \
  --collect \
  --pipe \
  --wait \
  podman \
    run \
    --rm \
    --user 65534:65534 \
    localhost/demo /demo http://localhost

so that systemd connects to the UNIX socket. The container process inherits the established socket.

Previous discussion: #17789

[rhatdan]

You need to translate this into a Blog.

I would think SELinux would block this access, BTW.

[eriksjolund]

Good idea, I should translate it to a blog.