The metadata daemon was previously running as root due to its need to
open port 80 to provide information to instances. To allow the daemon
to run in a more secure way, this patch adds a separate metadata user,
and grants the metad executable the CAP_NET_BIND_SERVICE capability.
As a result, the metadata daemon can use the port 80 without having to
acquire the full set of root capabilities and drop it later.
Signed-off-by: Hrvoje Ribicic <firstname.lastname@example.org>
Reviewed-by: Klaus Aehlig <email@example.com>