Hello,
While playing with QUIC setup I was cleaning the QUIC config.
I removed long standing 'tune.quic.socket-owner connection' as it seems
to be the default/optimal setting.
This is probably not related but I found the following error in logs:
'Permission error on QUIC socket binding for proxy wwws. Consider using
setcap cap_net_bind_service (Linux only) or running as root.'
I'm running on a "standard" setup (with recompiled haproxy 3.1.5 for
aws-lc use) on Debian 11 and 12.
Looking through the Config Manual and Management Guide I had some
explanations on Linux capabilities support
(https://docs.haproxy.org/3.1/management.html#13.1). That's fine.
However, there is something strange there.
I've put 'setcap cap_net_bind_service,cap_net_admin' in global section
of my config.
I restarted haproxy. I can't see any error in logs any more.
And the capabilities of the main and forked processes looks like that:
# grep Cap /proc/2153673/status
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
# grep Cap /proc/2153679/status
CapInh: 0000000000000000
CapPrm: 0000000000001400
CapEff: 0000000000001400
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
Everything seems perfect but... I didn't set the capabilities on the
/usr/sbin/haproxy file as suggested in Management Guide:
# getcap -v /usr/sbin/haproxy
/usr/sbin/haproxy
#
So, is it really working without setting the capabilities on the file
and there is some kind of magic there ? And by the way there is
something to change in Management Guide chapter.
Or, setcap on haproxy executable IS mandatory and my current setup, even
if I can't see any error, is broken (=does not work as expected).
--
Best regards,
Artur
