About this list Date view Thread view Subject view Author view Attachment view

From: Thomas Weber (x_at_4t2.com)
Date: Wed 07 Aug 2002 - 20:57:41 BST


On Wed, Aug 07, 2002 at 07:35:58PM +0100, John Lyons wrote:
> > > >S_CAPS="CAP_NET_RAW CAP_NET_BIND_SERVICE"
> >
> > I have these set and when I try to start my vservers, i see a
> > message that
> > says:
> >
> > Starting named: capset failed: Operation not permitted
>
> Hopefully this will answer a few problems in one.
>
> 1) You need to have CAP_NET_RAW set in the conf file for the vserver in
> order to have any access to the internet. Without it you won't be able to
> ping anything from within a vserver. I would guess that you won't be able to
> see http/pop etc on the vservers without it hence the fact that someone
> couldn't contact the vservers.

without CAP_NET_RAW you won't be able to ping because ping needs
full access to the interface. but normal tcp/upd services will work.
Without CAP_NET_RAW, even root in the virtual server won't be able to sniff
your network or do other fancy stuff with your interface - very usefull imho.

i run many services (pop3s, imaps, http, https...) on a vserver without
CAP_NET_RAW. In the case of named it won't help either.

> 2) The above error could be because you've got bind running on the host
> server?

the above error could well be because he didn't read the vserver FAQ ;-)
http://www.solucorp.qc.ca/howto.hc?projet=vserver&id=72

  Tom


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:42 GMT by hypermail 2.1.3