[lxc-devel] lxc-dnsmasq user
Michael H. Warfield
mhw at WittsEnd.com
Fri Oct 3 14:54:13 UTC 2014
On Fri, 2014-10-03 at 14:34 +0000, Serge Hallyn wrote:
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > On Thu, 2 Oct 2014 21:26:30 +0000
> > Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >
> > > Quoting Dwight Engen (dwight.engen at oracle.com):
> > > > Hi Mike,
> > > >
> > > > I was just wondering what the reason was for choosing to create a
> > > > lxc-dnsmasq user? If I read the dnsmasq man-page right, it will
> > > > normally drop privileges and switch to user 'nobody', so was there
> > > > some reason 'nobody' was a problem?
> > > >
> > > > Just asking as it would be simpler if lxc didn't have to
> > > > create/delete the additional lxc-dnsmasq user in the distro
> > > > packaging. Thanks.
> > >
> > > I suspect this came from me from the original network configuration
> > > for ubuntu. Basically the idea is there'll also be dnsmasq running
> > > for libvirt and for the host, so better to keep those from harming
> > > each other. Libvirt already ran its own under libvirt-dnsmasq, so I
> > > added lxc-dnsmasq along the same lines.
> >
> > Interesting, libvirt on Fedora runs dnsmasq as nobody. Since most
> > everything is specified on the command line (including passing
> > --conf-file= for each libvirt network) I guess there is less worry
> > about them colliding. I agree with Mike that having lxc be consistent
> > across platforms is helpful so we don't have to handle differences in
> > the scripts as much as possible. Was just wanting to make sure we really
> > want to add that user before 1.1 releases, thanks for the explanation.
>
> So how about something like this (untested):
>
> From 5d2eb5a18d020af9ba9a9e2a3de981e9eef0f7e2 Mon Sep 17 00:00:00 2001
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> Date: Fri, 3 Oct 2014 09:32:16 -0500
> Subject: [PATCH 1/1] lxc-net.in: accomodate lxc-dnsmasq user not existing
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/init/common/lxc-net.in | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in
> index c921ab7..cf19df8 100644
> --- a/config/init/common/lxc-net.in
> +++ b/config/init/common/lxc-net.in
> @@ -68,7 +68,11 @@ start() {
> if [ -n "$LXC_DOMAIN" ]; then
> LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
> fi
> - dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
> + dnsuser=""
> + if getent passwd lxc-dnsmasq >/dev/null; then
> + dnsuser="-u lxc-dnsmasq"
> + fi
> + dnsmasq $LXC_DOMAIN_ARG $dnsuser --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
> touch "${varrun}"/network_up
> touch "${lockdir}"/lxc-net
> }
I think that would work for me since it's really a different in the base
distros that we're addressing.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20141003/9e3dca28/attachment.sig>
More information about the lxc-devel
mailing list