-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ospfd requires cap_sys_admin #8681
Comments
We agree with you that minimum privileges is good practice. Unfortunately we need this cap in order to be able to switch network namespaces for namespace based VRFs. From
Quagga didn't have this feature and so didn't require this capability. I'll note that we only elevate privileges when necessary and drop them when done (you can grep for Of course in theory we could make needing |
Thanks for your quick response. For now I'll recompile with Once I'm certain that it works as intended I'll submit a PR. My approach would be adding a |
There is already a flag named '--vrfwnetns' that, if not present, should be used to disable cap-sys-admin wherever needed. arent you in the case where you are using BGP in standalone mode as route reflector ? |
@pguibert6WIND I'm not starting zebra with Lines 312 to 315 in 58ba064
I'm not using BGP, just OSPF. |
Sorry for the delay. Yeah, that sounds appropriate. |
I meant, you don't need a new flag. |
Please see https://github.com/javier-godoy/frr-alpine/blob/test/init (using FRR 7.5.1 from Alpine 3.13.5)
When only NET_ADMIN is granted, zebra and ospfd fail with the following log and the processes are not started. Note that it wants
When both NET_ADMIN and SYS_ADMIN are granted, then zebra and ospfd start correctly:
|
Yes, I'm not sure what Phillipe meant: several daemons unconditionally request CAP_SYS_ADMIN currently. |
I think this issue shouldn't be limited to ospfd and also cover other daemons (zebra, bgpd, …). I'm trying to setup a simple FRR instance as a BGP speaker (publish routes to load balancer and don't need to handle any incoming routes), and have the same issue. |
I was thinking the capabilities were requested by vrfwnetns mode, whereas this is the container that requests it. |
As I am just experiment, I use --privileged to run docker container and no error |
I had previously used quagga 1.2.4-r2 (particularly ospfd) in a docker container based on alpine 3.11.3
When trying to migrate to frr-7.3.1-r0 in a docker container based on alpine 3.12.3 (binaries installed with apk) I found that ospfd and zebra fail to initialize, with the following message:
I'm not granting
cap_sys_admin
to the container, and I would like to avoid it if possible (Quagga's ospfd worked fine with onlycap_net_admin
andcap_net_raw
).I seem to understand that
cap_sys_admin
was added to FRR in #1818and the workaround from #2007 is not possible since the container is not granted such permission.
Is there any way to avoid the check for
cap_sys_admin
?The text was updated successfully, but these errors were encountered: