From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Thu 08 Aug 2002 - 00:15:43 BST
On Wed, 7 Aug 2002 19:35:58 -0500, John Lyons wrote
> > > >S_CAPS="CAP_NET_RAW CAP_NET_BIND_SERVICE"
> >
> > I have these set and when I try to start my vservers, i see a
> > message that
> > says:
> >
> > Starting named: capset failed: Operation not permitted
>
> Hopefully this will answer a few problems in one.
>
> 1) You need to have CAP_NET_RAW set in the conf file for the vserver in
> order to have any access to the internet. Without it you won't be able to
> ping anything from within a vserver. I would guess that you won't be able to
> see http/pop etc on the vservers without it hence the fact that someone
> couldn't contact the vservers.
CAP_NET_RAW control the ability to send raw packets. Ping uses this.
But answering ping request is handled by the kernel completly independently
from the vserver concept. So even if a vserver does not have CAP_NET_RAW
it still is pingable.
So vserver handling any IP traffic do not need CAP_NET_RAW to operate.
Loosing ping ability is a little annoying, but no service relies on that to
operate.
To operate bind, you need CAP_SYS_RESOURCE because bind is trying
to raise some of its ulimits (even if it has plenty). No one, except vserver
user is running with lower capabilities. The capability in standard linux
is not complete and it is not possible to create environment (context)
where some capability are removed. The vserver project handles this.
All this to tell that bind developper simply can't tell they have a glitch.
Anyway it's in the FAQ :-)
---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc