[lxc-devel] [lxd/master] lxd/instance/qemu/vm/qemu: Adds -runas flag to qemu
tomponline on Github
lxc-bot at linuxcontainers.org
Thu Dec 12 11:16:05 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 471 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191212/621ba0b7/attachment.bin>
-------------- next part --------------
From 763f08de9aa24e0f959ec16804bf9de29b0ffcd1 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Thu, 12 Dec 2019 11:12:18 +0000
Subject: [PATCH] lxd/instance/qemu/vm/qemu: Adds -runas flag to qemu
To try and run as either lxd or nobody user.
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/instance/qemu/vm_qemu.go | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lxd/instance/qemu/vm_qemu.go b/lxd/instance/qemu/vm_qemu.go
index 9643c3247a..88884235ff 100644
--- a/lxd/instance/qemu/vm_qemu.go
+++ b/lxd/instance/qemu/vm_qemu.go
@@ -631,6 +631,18 @@ func (vm *Qemu) Start(stateful bool) error {
"-readconfig", confFile,
"-pidfile", vm.pidFilePath(),
}
+
+ // Attempt to drop privileges.
+ for _, user := range []string{"lxd", "nobody"} {
+ _, err := shared.UserId(user)
+ if err != nil {
+ continue
+ }
+
+ args = append(args, "-runas", user)
+ break
+ }
+
if shared.IsTrue(vm.expandedConfig["limits.memory.hugepages"]) {
args = append(args, "-mem-path", "/dev/hugepages/", "-mem-prealloc")
}
More information about the lxc-devel
mailing list