On Mon, Jun 26, 2017 at 11:41:00AM +0200, Cédric Bosdonnat wrote:
Users may want to run the init command of a container as a special user / group. This is achieved by adding <inituser> and <initgroup> elements. Note that the user can either provide a name or an ID to specify the user / group to be used.
This commit also fixes a side effect of being able to run the command as a non-root user: the user needs rights on the tty to allow shell job control. --- docs/formatdomain.html.in | 7 +++++ docs/schemas/domaincommon.rng | 14 ++++++++++ src/conf/domain_conf.c | 9 ++++++ src/conf/domain_conf.h | 2 ++ src/lxc/lxc_container.c | 52 +++++++++++++++++++++++++++++++++++ tests/lxcxml2xmldata/lxc-inituser.xml | 31 +++++++++++++++++++++ tests/lxcxml2xmltest.c | 1 + 7 files changed, 116 insertions(+) create mode 100644 tests/lxcxml2xmldata/lxc-inituser.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index e79a9d5be..f9a5177e0 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -334,6 +334,11 @@ To set a custom work directory for the init, use the <code>initdir</code> element. </p> + <p> + To run the init command as a given user or group, use the <code>inituser</code> + or <code>initgroup</code> elements respectively. Both elements can be provided + either a user (resp. group) id or a name. + </p>
Should mention that you can prefix the user/group with a '+' to force it to be treated as a numeric UID/GID. Without a '+' the numeric value will first be tried as username. If that is noted, then Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|