On 7/30/14, István Király <[email protected]> wrote: > Hi folks, .. > > I'm trying to figure out what the proper method will be to use node.js as > web server. > The problem is, that node, when run as user, can not bind to port 80, or > ports lower then 1024. > > I would like to give the container permission to bind node to port 80, and > eventually 443. > > [root@dev node-project]# setcap cap_net_bind_service=+ep /usr/bin/node > unable to set CAP_SETFCAP effective capability: Operation not permitted In common or personal LXC config check allowed capabilities: 1) [root]#grep include /var/lib/lxc/LXC_NAME/config lxc.include = /usr/share/lxc/config/centos.common.conf
2) [root]# grep -r lxc.cap.drop /usr/share/lxc/config/centos.common.conf # lxc.cap.drop = sys_admin # lxc.cap.drop = net_raw # breaks dhcp/ping # lxc.cap.drop = setgid # breaks login (initgroups/setgroups) # lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) # lxc.cap.drop = setuid # breaks sshd,nfs statd # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio Remove from lxc.cap.drop setfcap. Be sure that /usr/share/lxc/config/centos.common.conf not include another include : # grep include /usr/share/lxc/config/centos.common.conf lxc.include = /usr/share/lxc/config/common.conf Check all includes chains for lxc.cap.drop if needed. Restart container. Test # setcap 'cap_net_bind_service=+ep' /www/splunk/bin/splunkd # getcap /www/splunk/bin/splunkd /www/splunk/bin/splunkd = cap_net_bind_service+ep As variant - You can set and check capabilites from hardware node. Get access to rootfs container, in case LVM - mount device: #mount /dev/data/splunk /media Check, unset, check and set again: [root@node01 mkozin]# setcap 'cap_net_bind_service=-ep' /media/www/splunk/bin/splunkd [root@node01 mkozin]# getcap /media/www/splunk/bin/splunkd /media/www/splunk/bin/splunkd = [root@node01 mkozin]# setcap 'cap_net_bind_service=+ep' /media/www/splunk/bin/splunkd [root@node01 mkozin]# getcap /media/www/splunk/bin/splunkd /media/www/splunk/bin/splunkd = cap_net_bind_service+ep After restart cap stay on place: # lxc_ctl restart splunk (some kind of wrapper to lxc-stop/start) # getcap /media/www/splunk/bin/splunkd /media/www/splunk/bin/splunkd = cap_net_bind_service+ep b.r. Maxim Kozin _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
