On Sun, Mar 26, 2017 at 07:12:33PM -0700, Ankit Malp wrote: > Thanks for the suggestions. Adding more details - so if i just bind on port > 80 (without interface awareness), dropping of privileges works exactly as > documented. > > More details > HAProxy versions tried:1.6.11 and 1.7.2 > OS: Amazon Linux > > *#Works:* > global > user haproxy > frontend frontend_tcp > mode tcp > bind 0.0.0.0:80 > > *#Does not work* > global > user haproxy > frontend frontend_tcp_eth1 > mode tcp > bind 0.0.0.0:80 interface eth1 > [ALERT] 084/185646 (13289) : [<>/bin/haproxy.main()] Some configuration > options require full privileges, so global.uid cannot be changed > > Removing the "user haproxy" part in the above config works (but now HAProxy > is running as root)
Thank you. I understand the problem. In the permissions check, there's no difference between "need to run as root" and "need to start as root". The interface binding is an example of such an incorrect check. I'll see if it's easy to change this or not. But probably we could simply remove the check since it will automatically fail if it cannot bind (the check is in fact here to avoid runtime issues). If you want to fix it, simply remove "LSTCHK_NETADM" in proto_tcp.c, function bind_parse_interface(). I suspect that most people don't get this simply because the setups where they bind to multiple interfaces are the same where they also bind to interfaces for outgoing connections or they're running in transparent mode, both of which require runtime privileges as well. But in my opinion you're clearly facing a bug that we have to fix. Thanks, Willy
