Hi Lukas Thank you for the correction. I didn't even think about using CAP_SYS_ADMIN to give a standard user more privs.
Out of interest would CAP_NET_BIND_SERVICE not be a better choice than giving haproxy full admin rights , just allow it to bind to ports <1024 "setcap" - set Linux capabilities on a file. Useful for giving executables permissions to capabilities that are normally restricted to the root user; like binding to a port below port 1024 without the need to run as root. Or to give wireshark permissions to capture packets without needing to be run as root. The example below allows haproxy to connect below port 1024 without being root. *setcap cap_net_bind_service=+ep /usr/local/sbin/haproxy* Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org <https://www.loadbalancer.org/?gclid=ES2017> <https://plus.google.com/+LoadbalancerOrg> <https://twitter.com/loadbalancerorg> <http://www.linkedin.com/company/3191352?trk=prof-exp-company-name> <https://www.loadbalancer.org/?category=company&post-name=overview&?gclid=ES2017> <https://www.loadbalancer.org/?gclid=ES2017> +1 888 867 9504 / +44 (0)330 380 1064 [email protected] Leave a Review <http://collector.reviews.io/loadbalancer-org-inc-/new-review> | Deployment Guides <https://www.loadbalancer.org/?category=resources&post-name=deployment-guides&?gclid=ES2017> | Blog <https://www.loadbalancer.org/?category=blog&?gclid=ES2017> On 28 December 2017 at 15:04, Lukas Tribus <[email protected]> wrote: > Hello, > > > On 28 December 2017 at 11:24, Senthil Naidu > <[email protected]> wrote: > > > > Hi, > > > > Is there any way to run haproxy as non-root with backend configured > inside the > > namespace as seen below but the same shows “general socket error” , if > we run > > the same by removing the user and group from haproxy and run the same as > root > > the the same works fine. > > The call is setns(2) and the process needs the CAP_SYS_ADMIN > capability in the target user namespace if it isn't root: > > http://man7.org/linux/man-pages/man2/setns.2.html > > > > On Thu, Dec 28, 2017 at 12:28 PM, Andrew Smalley > <[email protected]> wrote: > > > > Hello Senthil > > > > You asked if you can run haproxy as a non root user. > > > > Yes you can but only for ports above 1024, ports below 1024 and port 80 > as per your config will require root privileges to bind to the port. > > The question was with namespaces on the backend, which require > additional capabilities, see above. > > Also you can run haproxy with ports bound below 1024 and then > downgrade privileges: as haproxy first binds to the ports and only > then drops the privileges. This works just fine and is actually the > recommended configuration. > > Limitations like this mostly impact connections to backend servers, > where sockets are opened on demand (after haproxy downgraded > privileges). Things like namespaces, TOS settings, etc. > > > > > Regards, > Lukas >
