New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Running dnsmasq on an openvz container
While compiling and running dnsmasq I came across the following error on one of my VPSes:
# dnsmasq dnsmasq: setting capabilities failed: Operation not permitted
Apparently it's an openvz capabilities issue, according to this article , and requires the following:
vzctl set CTID --capability setuid:on --save vzctl set CTID --capability net_admin:on --save vzctl set CTID --capability net_raw:on --save
My host refused to make the necessary changes. Is it a security hole to enable the option? Which lowend providers enable the option?
Comments
When do you get the error?
During install or after configuration?
After install, on running dnsmasq without any parameters.
daemon.log doesnt reveal much:
Jan 2 16:07:06 ns2 dnsmasq[2132]: setting capabilities failed: Operation not permitted Jan 2 16:07:06 ns2 dnsmasq[2132]: FAILED to start upWorks for me...
RamNode -
I haven't looked at the actual code, but while reading the description of what dnsmasq is supposed to be i see zero reason why it should need these capabilities to be able to operate.
i use debian 7 and the installation was so easy
apt-get install dnsmasq
and to restart or stop is:
/etc/init.d/dnsmasq restart
/etc/init.d/dnsmasq stop
I wasnt having problems installing it. Just to debug, I tried installing from the package as well. However the issue is in starting dnsmasq, and openvz capabilities are documented to be the source of the problems.
# apt-get install dnsmasq Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: dbus dnsmasq-base libcap2 libdbus-1-3 libexpat1 libnetfilter-conntrack3 libsystemd-login0 Suggested packages: dbus-x11 resolvconf The following NEW packages will be installed: dbus dnsmasq dnsmasq-base libcap2 libdbus-1-3 libexpat1 libnetfilter-conntrack3 libsystemd-login0 0 upgraded, 8 newly installed, 0 to remove and 31 not upgraded. Need to get 139 kB/1179 kB of archives. After this operation, 2946 kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://ftp.de.debian.org/debian/ wheezy/main libexpat1 amd64 2.1.0-1+deb7u1 [139 kB] Fetched 139 kB in 3s (39.7 kB/s) Selecting previously unselected package libcap2:amd64. (Reading database ... 17035 files and directories currently installed.) Unpacking libcap2:amd64 (from .../libcap2_1%3a2.22-1.2_amd64.deb) ... Selecting previously unselected package libdbus-1-3:amd64. Unpacking libdbus-1-3:amd64 (from .../libdbus-1-3_1.6.8-1+deb7u1_amd64.deb) ... Selecting previously unselected package libexpat1:amd64. Unpacking libexpat1:amd64 (from .../libexpat1_2.1.0-1+deb7u1_amd64.deb) ... Selecting previously unselected package libnetfilter-conntrack3:amd64. Unpacking libnetfilter-conntrack3:amd64 (from .../libnetfilter-conntrack3_1.0.1-1_amd64.deb) ... Selecting previously unselected package libsystemd-login0:amd64. Unpacking libsystemd-login0:amd64 (from .../libsystemd-login0_44-11+deb7u4_amd64.deb) ... Selecting previously unselected package dbus. Unpacking dbus (from .../dbus_1.6.8-1+deb7u1_amd64.deb) ... Selecting previously unselected package dnsmasq-base. Unpacking dnsmasq-base (from .../dnsmasq-base_2.62-3+deb7u1_amd64.deb) ... Selecting previously unselected package dnsmasq. Unpacking dnsmasq (from .../dnsmasq_2.62-3+deb7u1_all.deb) ... Processing triggers for man-db ... Setting up libcap2:amd64 (1:2.22-1.2) ... Setting up libdbus-1-3:amd64 (1.6.8-1+deb7u1) ... Setting up libexpat1:amd64 (2.1.0-1+deb7u1) ... Setting up libnetfilter-conntrack3:amd64 (1.0.1-1) ... Setting up libsystemd-login0:amd64 (44-11+deb7u4) ... Setting up dbus (1.6.8-1+deb7u1) ... [ ok ] Starting system message bus: dbus. Setting up dnsmasq-base (2.62-3+deb7u1) ... Setting up dnsmasq (2.62-3+deb7u1) ... [....] Restarting DNS forwarder and DHCP server: dnsmasq dnsmasq: setting capabilities failed: Operation not permitted failed! invoke-rc.d: initscript dnsmasq, action "restart" failed.@joelgm are you running it as root?
Yes, indeed.
It should work according to the docs then:
Q: Dnsmasq fails to start up with a message about capabilities.
Why did that happen and what can do to fix it?
A: Change your kernel configuration: either deselect CONFIG_SECURITY
or select CONFIG_SECURITY_CAPABILITIES. Alternatively, you can
remove the need to set capabilities by running dnsmasq as root.
That's why I'm at a loss here. I cant fathom why it doesnt work.
I just bought a Seattle Ramnode and discovered that the capabilities were not available on this one as well!
It did work on a Raidlogic VPS though.
Mine was in NL
I'll request a transfer to NL.
Should work then
Or maybe you can ask them to enable it? RamNode support is usually very helpful...
I've described my scenario and linked them to this thread. I'm hopeful of a positive response.
Same issue on GVH - did you get this solved? @Greenvaluehost - care to comment?
Old thread I know. I just ran into this myself. Setting it to run as root gets around this. Don't know what implications that has.
nano /etc/dnsmasq.conflisten-address=127.0.0.1 port=53 bind-interfaces user=root