From 0dbc953801b26b6133df90df767d15043cbba97c Mon Sep 17 00:00:00 2001
From: Yifeng Xiao <yifengx@vmware.com>
Date: Thu, 3 Jan 2019 17:43:37 +0800
Subject: [PATCH] Run portlayer as un-privileged user

Start portlayer process with vicadmin user and give capabilities of
mounting disks and binding a port less than 1024.
---
 isos/appliance/permissions-setup    | 5 ++++-
 lib/install/management/appliance.go | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/isos/appliance/permissions-setup b/isos/appliance/permissions-setup
index 1c529c8644..b29456580f 100755
--- a/isos/appliance/permissions-setup
+++ b/isos/appliance/permissions-setup
@@ -2,4 +2,7 @@
 
 # Allow access to VM uuid for self-reflection
 chmod 444 /sys/devices/virtual/dmi/id/product_serial
-chmod 444 /sys/class/dmi/id/product_serial
\ No newline at end of file
+chmod 444 /sys/class/dmi/id/product_serial
+
+# Give port-layer capabilities to mount image disks and bind 53 port
+setcap cap_net_bind_service,cap_sys_admin=+ep /sbin/port-layer-server
diff --git a/lib/install/management/appliance.go b/lib/install/management/appliance.go
index bec409b888..833d1766b9 100644
--- a/lib/install/management/appliance.go
+++ b/lib/install/management/appliance.go
@@ -673,6 +673,8 @@ func (d *Dispatcher) createAppliance(conf *config.VirtualContainerHostConfigSpec
 	)
 
 	cfg := &executor.SessionConfig{
+		User:    "vicadmin",
+		Group:   "vicadmin",
 		Cmd: executor.Cmd{
 			Path: "/sbin/port-layer-server",
 			Args: []string{