Run portlayer as un-privileged user

DanielXiao · DanielXiao · commit 0dbc953801b2 · 2019-01-04T10:34:35.000+08:00
Start portlayer process with vicadmin user and give capabilities of
mounting disks and binding a port less than 1024.
diff --git a/isos/appliance/permissions-setup b/isos/appliance/permissions-setup
@@ -2,4 +2,7 @@
 
 # Allow access to VM uuid for self-reflection
 chmod 444 /sys/devices/virtual/dmi/id/product_serial
-chmod 444 /sys/class/dmi/id/product_serial
+chmod 444 /sys/class/dmi/id/product_serial
+
+# Give port-layer capabilities to mount image disks and bind 53 port
+setcap cap_net_bind_service,cap_sys_admin=+ep /sbin/port-layer-server
diff --git a/lib/install/management/appliance.go b/lib/install/management/appliance.go
@@ -673,6 +673,8 @@ func (d *Dispatcher) createAppliance(conf *config.VirtualContainerHostConfigSpec
 	)
 
 	cfg := &executor.SessionConfig{
+		User:    "vicadmin",
+		Group:   "vicadmin",
 		Cmd: executor.Cmd{
 			Path: "/sbin/port-layer-server",
 			Args: []string{

Original file line number	Diff line number	Diff line change
`@@ -673,6 +673,8 @@ func (d Dispatcher) createAppliance(conf config.VirtualContainerHostConfigSpec`
`673`	`673`	`)`
`674`	`674`
`675`	`675`	`cfg := &executor.SessionConfig{`
	`676`	`+ User: "vicadmin",`
	`677`	`+ Group: "vicadmin",`
`676`	`678`	`Cmd: executor.Cmd{`
`677`	`679`	`Path: "/sbin/port-layer-server",`
`678`	`680`	`Args: []string{`