[lxc-users] CAP_SETFCAP effective capability
mxs kolo
kolomaxes at gmail.com
Thu Jul 31 08:26:22 UTC 2014
On 7/30/14, István Király <LaKing at d250.hu> wrote:
> Hi folks, ..
>
> I'm trying to figure out what the proper method will be to use node.js as
> web server.
> The problem is, that node, when run as user, can not bind to port 80, or
> ports lower then 1024.
>
> I would like to give the container permission to bind node to port 80, and
> eventually 443.
>
> [root at dev node-project]# setcap cap_net_bind_service=+ep /usr/bin/node
> unable to set CAP_SETFCAP effective capability: Operation not permitted
In common or personal LXC config check allowed capabilities:
1) [root]#grep include /var/lib/lxc/LXC_NAME/config
lxc.include = /usr/share/lxc/config/centos.common.conf
2) [root]# grep -r lxc.cap.drop /usr/share/lxc/config/centos.common.conf
# lxc.cap.drop = sys_admin
# lxc.cap.drop = net_raw # breaks dhcp/ping
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
# lxc.cap.drop = setuid # breaks sshd,nfs statd
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio
Remove from lxc.cap.drop setfcap.
Be sure that /usr/share/lxc/config/centos.common.conf not include
another include :
# grep include /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/common.conf
Check all includes chains for lxc.cap.drop if needed.
Restart container.
Test
# setcap 'cap_net_bind_service=+ep' /www/splunk/bin/splunkd
# getcap /www/splunk/bin/splunkd
/www/splunk/bin/splunkd = cap_net_bind_service+ep
As variant - You can set and check capabilites from hardware node.
Get access to rootfs container, in case LVM - mount device:
#mount /dev/data/splunk /media
Check, unset, check and set again:
[root at node01 mkozin]# setcap 'cap_net_bind_service=-ep'
/media/www/splunk/bin/splunkd
[root at node01 mkozin]# getcap /media/www/splunk/bin/splunkd
/media/www/splunk/bin/splunkd =
[root at node01 mkozin]# setcap 'cap_net_bind_service=+ep'
/media/www/splunk/bin/splunkd
[root at node01 mkozin]# getcap /media/www/splunk/bin/splunkd
/media/www/splunk/bin/splunkd = cap_net_bind_service+ep
After restart cap stay on place:
# lxc_ctl restart splunk (some kind of wrapper to lxc-stop/start)
# getcap /media/www/splunk/bin/splunkd
/media/www/splunk/bin/splunkd = cap_net_bind_service+ep
b.r.
Maxim Kozin
More information about the lxc-users
mailing list