Difference between revisions of "Quagga in VE"
(New page: Quagga inside a VE requires 3 Linux capabilities configured for the container on the hostnode: vzctl set 24 --capability net_admin:on --save vzctl set 24 --capability net_raw:on --save ...) |
|||
| Line 1: | Line 1: | ||
Quagga inside a VE requires 3 Linux capabilities configured for the container on the hostnode: | Quagga inside a VE requires 3 Linux capabilities configured for the container on the hostnode: | ||
| − | vzctl set | + | vzctl set <id> --capability net_admin:on --save |
| − | vzctl set | + | vzctl set <id> --capability net_raw:on --save |
| − | vzctl set | + | vzctl set <id> --capability sys_admin:on --save |
When they are not configured, you'll see the following symptoms when starting up zebra: | When they are not configured, you'll see the following symptoms when starting up zebra: | ||
Revision as of 00:27, 18 October 2009
Quagga inside a VE requires 3 Linux capabilities configured for the container on the hostnode:
vzctl set <id> --capability net_admin:on --save vzctl set <id> --capability net_raw:on --save vzctl set <id> --capability sys_admin:on --save
When they are not configured, you'll see the following symptoms when starting up zebra:
# zebra privs_init: initial cap_set_proc failed
And when stracing:
# strace zebra
[..]
capset(0x19980330, 0, {CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, 0}) = -1 EPERM (Operation not permitted)
write(2, "privs_init: initial cap_set_proc"..., 40privs_init: initial cap_set_proc failed
) = 40
exit_group(1) = ?
Note: granting capabilities for a container can have reduced security implications - ensure you fully understand the repercussions of granting any of the above capabilities before using in production.
