Run portlayer as un-privileged user

Start portlayer process with vicadmin user and give cap_sys_admin
capability to it.

Author: DanielXiao

isos/appliance.sh

@@ -127,6 +127,9 @@ cp ${BIN}/vic-init $(rootfs_dir $PKGDIR)/sbin/vic-init
 cp ${BIN}/{docker-engine-server,port-layer-server,vicadmin} $(rootfs_dir $PKGDIR)/sbin/
 cp ${BIN}/unpack $(rootfs_dir $PKGDIR)/bin/
 
+# give port-layer-server privilege to mount image disks
+chroot $(rootfs_dir $PKGDIR) setcap cap_sys_admin=+ep /sbin/port-layer-server
+
 # Generate the ISO
 # Select systemd for our init process
 generate_iso $PKGDIR $BIN/appliance.iso /lib/systemd/systemd

lib/install/management/appliance.go

@@ -673,6 +673,8 @@ func (d *Dispatcher) createAppliance(conf *config.VirtualContainerHostConfigSpec
 	)
 
 	cfg := &executor.SessionConfig{
+		User:    "vicadmin",
+		Group:   "vicadmin",
 		Cmd: executor.Cmd{
 			Path: "/sbin/port-layer-server",
 			Args: []string{