New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CAP_NET_ADMIN & nginx
Heyo,
I am stuck trying to get my nginx service which is launched via Systemd to give CAP_NET_ADMIN to its workers (required for IP_TRANSPARENT).
I have tried /etc/security/capability.conf & setcap. Systemd has the permission whitelisted:
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
CAP_SYS_RESOURCE CAP_SETGID CAP_SETUID
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
CAP_SYS_RESOURCE CAP_SETGID CAP_SETUID
Thoughts? Ideas? Those workers just don't want to play game.
Comments
What are you trying to accomplish? If this is for traffic shaping check this out:
https://forum.nginx.org/read.php?29,255530
What about SELinux?
We are needing CAP_NET_ADMIN at the worker (unprivileged user) level to facilitate usage of IP_TRANSPARENT.
We arent using it.
Solvered after much debugging.
In systemd:
Or using a utility:
Not the perfect solution, but acceptable for now.