[Nut-upsuser] Running NUT within an unprivileged LXD container?
linus.luessing at c0d3.blue
Mon Jul 18 23:53:36 BST 2022
On Mon, Jul 18, 2022 at 02:29:18AM +0200, Linus Lüssing wrote:
> I'm trying to set up NUT within an unprivileged LXD container.
> So within the container there is its own user namespace with
> a root user with UID 0, which does not actually have overall
> system root rights.
> Both the host and the container run Debian Bullseye.
> NUT is version 2.7.4-13.
Found my issue: I wasn't aware that when /lib/nut/usbhid-ups is
started as root that it drops its user privileges from root to
the "nut" user:
root at nut:~# ps -Af | grep usb
nut 91 1 0 22:10 ? 00:00:02 /lib/nut/usbhid-ups -a apc-back-ups-rs-900g
So I needed to add the "uid" and "gid" attributes here:
$ lxc start nut
[ nut needs to be installed in the container before, so that the user+group "nut"
are available ]
$ lxc config device add nut apcusbhid usb vendorid=051d productid=0002 uid="$(lxc exec nut -- /bin/id -u nut)" gid="$(lxc exec nut -- /bin/id -g nut)"
$ lxc exec nut -- /usr/bin/systemctl enable nut-server
$ lxc restart nut
upsc now returns just fine, with valid values:
$ lxc exec nut -- /usr/bin/upsc apc-back-ups-rs-900g at localhost battery.charge
Init SSL without certificate database
Some more background information from my debugging, especially
the output from strace, can be found here in the forum post:
More information about the Nut-upsuser