Changes
New page: Quagga inside a VE requires 3 Linux capabilities configured for the container on the hostnode: vzctl set 24 --capability net_admin:on --save vzctl set 24 --capability net_raw:on --save ...
Quagga inside a VE requires 3 Linux capabilities configured for the container on the hostnode:
vzctl set 24 --capability net_admin:on --save
vzctl set 24 --capability net_raw:on --save
vzctl set 24 --capability sys_admin:on --save
When they are not configured, you'll see the following symptoms when starting up zebra:
# zebra
privs_init: initial cap_set_proc failed
And when stracing:
# strace zebra
[..]
capset(0x19980330, 0, {CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, 0}) = -1 EPERM (Operation not permitted)
write(2, "privs_init: initial cap_set_proc"..., 40privs_init: initial cap_set_proc failed
) = 40
exit_group(1) = ?
Note: granting capabilities for a container can have reduced security implications - ensure you fully understand the repercussions of granting any of the above capabilities before using in production.
[[Category: Networking]]
vzctl set 24 --capability net_admin:on --save
vzctl set 24 --capability net_raw:on --save
vzctl set 24 --capability sys_admin:on --save
When they are not configured, you'll see the following symptoms when starting up zebra:
# zebra
privs_init: initial cap_set_proc failed
And when stracing:
# strace zebra
[..]
capset(0x19980330, 0, {CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, 0}) = -1 EPERM (Operation not permitted)
write(2, "privs_init: initial cap_set_proc"..., 40privs_init: initial cap_set_proc failed
) = 40
exit_group(1) = ?
Note: granting capabilities for a container can have reduced security implications - ensure you fully understand the repercussions of granting any of the above capabilities before using in production.
[[Category: Networking]]
