Hello,
On 28 December 2017 at 11:24, Senthil Naidu <[email protected]> wrote: > > Hi, > > Is there any way to run haproxy as non-root with backend configured inside > the > namespace as seen below but the same shows “general socket error” , if we run > the same by removing the user and group from haproxy and run the same as root > the the same works fine. The call is setns(2) and the process needs the CAP_SYS_ADMIN capability in the target user namespace if it isn't root: http://man7.org/linux/man-pages/man2/setns.2.html On Thu, Dec 28, 2017 at 12:28 PM, Andrew Smalley <[email protected]> wrote: > > Hello Senthil > > You asked if you can run haproxy as a non root user. > > Yes you can but only for ports above 1024, ports below 1024 and port 80 as > per your config will require root privileges to bind to the port. The question was with namespaces on the backend, which require additional capabilities, see above. Also you can run haproxy with ports bound below 1024 and then downgrade privileges: as haproxy first binds to the ports and only then drops the privileges. This works just fine and is actually the recommended configuration. Limitations like this mostly impact connections to backend servers, where sockets are opened on demand (after haproxy downgraded privileges). Things like namespaces, TOS settings, etc. Regards, Lukas
