Document how to run update-agent as non-root user

[invidian]

Currently, update-agent runs as root and we do not have documented why.

While investigating #13, I found, that following needs to be done to be able to run it as non-root user:

• Create /etc/polkit-1/rules.d/60-noreboot_norestart.rules file with following content:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions") {
        if (subject.isInGroup("core")) {
            return polkit.Result.YES;
        } else {
            return polkit.Result.AUTH_ADMIN;
        }
    }
});

• Create /etc/dbus-1/system.d/reboot.conf file with following content:

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <policy user="65534">
    <allow own="com.coreos.update1"/>
    <allow send_destination="com.coreos.update1"/>
    <allow send_interface="com.coreos.update1.Manager"/>
  </policy>

  <policy at_console="true">
    <allow send_destination="com.coreos.update1"/>
  </policy>

  <policy context="default">
    <deny send_destination="com.coreos.update1"/>
  </policy>

</busconfig>

• Make sure that UID and groups etc matches in the examples above.
• Modify DaemonSet to run as the user referenced in host configuration.

See also coreos/container-linux-update-operator#74.

[pothos]

I'm not sure if it is desired to have 65534 (nobody) be able to reboot.

[invidian]

I'm not sure if it is desired to have 65534 (nobody) be able to reboot.

Agreed. Perhaps there should be a dedicated user created on host OS, which is only allowed to reboot and has no other capabilities.