[lxc-devel] lxc-dnsmasq user

Dwight Engen dwight.engen at oracle.com
Fri Oct 3 13:34:52 UTC 2014


On Thu, 2 Oct 2014 21:26:30 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Dwight Engen (dwight.engen at oracle.com):
> > Hi Mike,
> > 
> > I was just wondering what the reason was for choosing to create a
> > lxc-dnsmasq user? If I read the dnsmasq man-page right, it will
> > normally drop privileges and switch to user 'nobody', so was there
> > some reason 'nobody' was a problem?
> > 
> > Just asking as it would be simpler if lxc didn't have to
> > create/delete the additional lxc-dnsmasq user in the distro
> > packaging. Thanks.
> 
> I suspect this came from me from the original network configuration
> for ubuntu.  Basically the idea is there'll also be dnsmasq running
> for libvirt and for the host, so better to keep those from harming
> each other.  Libvirt already ran its own under libvirt-dnsmasq, so I
> added lxc-dnsmasq along the same lines.

Interesting, libvirt on Fedora runs dnsmasq as nobody. Since most
everything is specified on the command line (including passing
--conf-file= for each libvirt network) I guess there is less worry
about them colliding. I agree with Mike that having lxc be consistent
across platforms is helpful so we don't have to handle differences in
the scripts as much as possible. Was just wanting to make sure we really
want to add that user before 1.1 releases, thanks for the explanation.

> I think it'd be fair to have the init scripts check to see if the
> lxc-dnsmasq user exists, and start as user nobody if not.
> 
> -serge
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



More information about the lxc-devel mailing list