[lxc-devel] lxc-dnsmasq user

Serge Hallyn serge.hallyn at ubuntu.com
Fri Oct 3 14:34:09 UTC 2014


Quoting Dwight Engen (dwight.engen at oracle.com):
> On Thu, 2 Oct 2014 21:26:30 +0000
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> > Quoting Dwight Engen (dwight.engen at oracle.com):
> > > Hi Mike,
> > > 
> > > I was just wondering what the reason was for choosing to create a
> > > lxc-dnsmasq user? If I read the dnsmasq man-page right, it will
> > > normally drop privileges and switch to user 'nobody', so was there
> > > some reason 'nobody' was a problem?
> > > 
> > > Just asking as it would be simpler if lxc didn't have to
> > > create/delete the additional lxc-dnsmasq user in the distro
> > > packaging. Thanks.
> > 
> > I suspect this came from me from the original network configuration
> > for ubuntu.  Basically the idea is there'll also be dnsmasq running
> > for libvirt and for the host, so better to keep those from harming
> > each other.  Libvirt already ran its own under libvirt-dnsmasq, so I
> > added lxc-dnsmasq along the same lines.
> 
> Interesting, libvirt on Fedora runs dnsmasq as nobody. Since most
> everything is specified on the command line (including passing
> --conf-file= for each libvirt network) I guess there is less worry
> about them colliding. I agree with Mike that having lxc be consistent
> across platforms is helpful so we don't have to handle differences in
> the scripts as much as possible. Was just wanting to make sure we really
> want to add that user before 1.1 releases, thanks for the explanation.

So how about something like this (untested):

>From 5d2eb5a18d020af9ba9a9e2a3de981e9eef0f7e2 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Fri, 3 Oct 2014 09:32:16 -0500
Subject: [PATCH 1/1] lxc-net.in: accomodate lxc-dnsmasq user not existing

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 config/init/common/lxc-net.in | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
index c921ab7..cf19df8 100644
--- a/config/init/common/lxc-net.in
+++ b/config/init/common/lxc-net.in
@@ -68,7 +68,11 @@ start() {
     if [ -n "$LXC_DOMAIN" ]; then
         LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
     fi
-    dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
+    dnsuser=""
+    if getent passwd lxc-dnsmasq >/dev/null; then
+        dnsuser="-u lxc-dnsmasq"
+    fi
+    dnsmasq $LXC_DOMAIN_ARG $dnsuser --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
     touch "${varrun}"/network_up
     touch "${lockdir}"/lxc-net
 }
-- 
2.1.0



More information about the lxc-devel mailing list