From: Thomas Weber (x_at_4t2.com)
Date: Wed Aug 07 2002 - 15:57:41 EDT
On Wed, Aug 07, 2002 at 07:35:58PM +0100, John Lyons wrote:
> > > >S_CAPS="CAP_NET_RAW CAP_NET_BIND_SERVICE"
> >
> > I have these set and when I try to start my vservers, i see a
> > message that
> > says:
> >
> > Starting named: capset failed: Operation not permitted
>
> Hopefully this will answer a few problems in one.
>
> 1) You need to have CAP_NET_RAW set in the conf file for the vserver in
> order to have any access to the internet. Without it you won't be able to
> ping anything from within a vserver. I would guess that you won't be able to
> see http/pop etc on the vservers without it hence the fact that someone
> couldn't contact the vservers.
without CAP_NET_RAW you won't be able to ping because ping needs
full access to the interface. but normal tcp/upd services will work.
Without CAP_NET_RAW, even root in the virtual server won't be able to sniff
your network or do other fancy stuff with your interface - very usefull imho.
i run many services (pop3s, imaps, http, https...) on a vserver without
CAP_NET_RAW. In the case of named it won't help either.
> 2) The above error could be because you've got bind running on the host
> server?
the above error could well be because he didn't read the vserver FAQ ;-)
http://www.solucorp.qc.ca/howto.hc?projet=vserver&id=72
Tom
This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:01 EDT