Difference between revisions of "Quagga in VE"
(use proper template in a proper way) |
|||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | Quagga inside a | + | Quagga inside a CT requires 3 Linux capabilities configured for the container on the host node: |
| − | vzctl set | + | vzctl set CTID --capability net_admin:on --save |
| − | vzctl set | + | vzctl set CTID --capability net_raw:on --save |
| − | vzctl set | + | vzctl set CTID --capability sys_admin:on --save |
When they are not configured, you'll see the following symptoms when starting up zebra: | When they are not configured, you'll see the following symptoms when starting up zebra: | ||
| Line 19: | Line 19: | ||
exit_group(1) = ? | exit_group(1) = ? | ||
| − | + | {{Warning|granting capabilities for a container can have reduced security implications - ensure you fully understand the repercussions of granting any of the above capabilities before using in production.}} | |
[[Category: Networking]] | [[Category: Networking]] | ||
Latest revision as of 08:59, 19 October 2009
Quagga inside a CT requires 3 Linux capabilities configured for the container on the host node:
vzctl set CTID --capability net_admin:on --save vzctl set CTID --capability net_raw:on --save vzctl set CTID --capability sys_admin:on --save
When they are not configured, you'll see the following symptoms when starting up zebra:
# zebra privs_init: initial cap_set_proc failed
And when stracing:
# strace zebra
[..]
capset(0x19980330, 0, {CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, 0}) = -1 EPERM (Operation not permitted)
write(2, "privs_init: initial cap_set_proc"..., 40privs_init: initial cap_set_proc failed
) = 40
exit_group(1) = ?
|
Warning: granting capabilities for a container can have reduced security implications - ensure you fully understand the repercussions of granting any of the above capabilities before using in production. |
