The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6604
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === To try and run as either lxd or nobody user. **Note: Do not merge this right now, it is known broken!** Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
From 763f08de9aa24e0f959ec16804bf9de29b0ffcd1 Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Thu, 12 Dec 2019 11:12:18 +0000 Subject: [PATCH] lxd/instance/qemu/vm/qemu: Adds -runas flag to qemu To try and run as either lxd or nobody user. Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- lxd/instance/qemu/vm_qemu.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lxd/instance/qemu/vm_qemu.go b/lxd/instance/qemu/vm_qemu.go index 9643c3247a..88884235ff 100644 --- a/lxd/instance/qemu/vm_qemu.go +++ b/lxd/instance/qemu/vm_qemu.go @@ -631,6 +631,18 @@ func (vm *Qemu) Start(stateful bool) error { "-readconfig", confFile, "-pidfile", vm.pidFilePath(), } + + // Attempt to drop privileges. + for _, user := range []string{"lxd", "nobody"} { + _, err := shared.UserId(user) + if err != nil { + continue + } + + args = append(args, "-runas", user) + break + } + if shared.IsTrue(vm.expandedConfig["limits.memory.hugepages"]) { args = append(args, "-mem-path", "/dev/hugepages/", "-mem-prealloc") }
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel