On Fri, 2014-10-03 at 14:34 +0000, Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > On Thu, 2 Oct 2014 21:26:30 +0000 > > Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > > > Quoting Dwight Engen (dwight.en...@oracle.com): > > > > Hi Mike, > > > > > > > > I was just wondering what the reason was for choosing to create a > > > > lxc-dnsmasq user? If I read the dnsmasq man-page right, it will > > > > normally drop privileges and switch to user 'nobody', so was there > > > > some reason 'nobody' was a problem? > > > > > > > > Just asking as it would be simpler if lxc didn't have to > > > > create/delete the additional lxc-dnsmasq user in the distro > > > > packaging. Thanks. > > > > > > I suspect this came from me from the original network configuration > > > for ubuntu. Basically the idea is there'll also be dnsmasq running > > > for libvirt and for the host, so better to keep those from harming > > > each other. Libvirt already ran its own under libvirt-dnsmasq, so I > > > added lxc-dnsmasq along the same lines. > > > > Interesting, libvirt on Fedora runs dnsmasq as nobody. Since most > > everything is specified on the command line (including passing > > --conf-file= for each libvirt network) I guess there is less worry > > about them colliding. I agree with Mike that having lxc be consistent > > across platforms is helpful so we don't have to handle differences in > > the scripts as much as possible. Was just wanting to make sure we really > > want to add that user before 1.1 releases, thanks for the explanation. > > So how about something like this (untested): > > From 5d2eb5a18d020af9ba9a9e2a3de981e9eef0f7e2 Mon Sep 17 00:00:00 2001 > From: Serge Hallyn <serge.hal...@ubuntu.com> > Date: Fri, 3 Oct 2014 09:32:16 -0500 > Subject: [PATCH 1/1] lxc-net.in: accomodate lxc-dnsmasq user not existing > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > --- > config/init/common/lxc-net.in | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/config/init/common/lxc-net.in b/config/init/common/lxc-net.in > index c921ab7..cf19df8 100644 > --- a/config/init/common/lxc-net.in > +++ b/config/init/common/lxc-net.in > @@ -68,7 +68,11 @@ start() { > if [ -n "$LXC_DOMAIN" ]; then > LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/" > fi > - dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces > --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} > --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} > --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo > --interface=${LXC_BRIDGE} > --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases > --dhcp-authoritative || cleanup > + dnsuser="" > + if getent passwd lxc-dnsmasq >/dev/null; then > + dnsuser="-u lxc-dnsmasq" > + fi > + dnsmasq $LXC_DOMAIN_ARG $dnsuser --strict-order --bind-interfaces > --pid-file="${varrun}"/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} > --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} > --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo > --interface=${LXC_BRIDGE} > --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases > --dhcp-authoritative || cleanup > touch "${varrun}"/network_up > touch "${lockdir}"/lxc-net > }
I think that would work for me since it's really a different in the base distros that we're addressing. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel