Running dnsmasq on an openvz container
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Running dnsmasq on an openvz container

While compiling and running dnsmasq I came across the following error on one of my VPSes:

# dnsmasq dnsmasq: setting capabilities failed: Operation not permitted

Apparently it's an openvz capabilities issue, according to this article , and requires the following:

vzctl set CTID --capability setuid:on --save vzctl set CTID --capability net_admin:on --save vzctl set CTID --capability net_raw:on --save

My host refused to make the necessary changes. Is it a security hole to enable the option? Which lowend providers enable the option?

C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

Comments

  • rmlhhdrmlhhd Member, Provider

    When do you get the error?

    During install or after configuration?

    RIPE NCC Member | DevCapsule Ltd. | 1 vCPU, 512MB RAM, 500GB Bandwidth, 10GB SSD for £2/pm exVAT LAX, MCR, AMS

  • DroidzoneDroidzone Member
    edited January 2014

    @rmlhhd said:
    When do you get the error?

    During install or after configuration?

    After install, on running dnsmasq without any parameters.

    daemon.log doesnt reveal much:

    Jan 2 16:07:06 ns2 dnsmasq[2132]: setting capabilities failed: Operation not permitted Jan 2 16:07:06 ns2 dnsmasq[2132]: FAILED to start up

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • rmlhhdrmlhhd Member, Provider
    edited January 2014

    Works for me...

    RamNode -

    Setting up dnsmasq (2.62-3+deb7u1) ...

    [ ok ] Starting DNS forwarder and DHCP server: dnsmasq.

    [email protected]:~# service dnsmasq restart

    [ ok ] Restarting DNS forwarder and DHCP server: dnsmasq.

    [email protected]:~# service dnsmasq stop

    [ ok ] Stopping DNS forwarder and DHCP server: dnsmasq.

    [email protected]:~# service dnsmasq start

    [ ok ] Starting DNS forwarder and DHCP server: dnsmasq.

    [email protected]:~#

    RIPE NCC Member | DevCapsule Ltd. | 1 vCPU, 512MB RAM, 500GB Bandwidth, 10GB SSD for £2/pm exVAT LAX, MCR, AMS

  • I haven't looked at the actual code, but while reading the description of what dnsmasq is supposed to be i see zero reason why it should need these capabilities to be able to operate.

    -

  • i use debian 7 and the installation was so easy

    apt-get install dnsmasq

    and to restart or stop is:

    /etc/init.d/dnsmasq restart

    /etc/init.d/dnsmasq stop

  • DroidzoneDroidzone Member
    edited January 2014

    @dedicados said:
    i use debian 7 and the installation was so easy

    I wasnt having problems installing it. Just to debug, I tried installing from the package as well. However the issue is in starting dnsmasq, and openvz capabilities are documented to be the source of the problems.

    # apt-get install dnsmasq Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: dbus dnsmasq-base libcap2 libdbus-1-3 libexpat1 libnetfilter-conntrack3 libsystemd-login0 Suggested packages: dbus-x11 resolvconf The following NEW packages will be installed: dbus dnsmasq dnsmasq-base libcap2 libdbus-1-3 libexpat1 libnetfilter-conntrack3 libsystemd-login0 0 upgraded, 8 newly installed, 0 to remove and 31 not upgraded. Need to get 139 kB/1179 kB of archives. After this operation, 2946 kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://ftp.de.debian.org/debian/ wheezy/main libexpat1 amd64 2.1.0-1+deb7u1 [139 kB] Fetched 139 kB in 3s (39.7 kB/s) Selecting previously unselected package libcap2:amd64. (Reading database ... 17035 files and directories currently installed.) Unpacking libcap2:amd64 (from .../libcap2_1%3a2.22-1.2_amd64.deb) ... Selecting previously unselected package libdbus-1-3:amd64. Unpacking libdbus-1-3:amd64 (from .../libdbus-1-3_1.6.8-1+deb7u1_amd64.deb) ... Selecting previously unselected package libexpat1:amd64. Unpacking libexpat1:amd64 (from .../libexpat1_2.1.0-1+deb7u1_amd64.deb) ... Selecting previously unselected package libnetfilter-conntrack3:amd64. Unpacking libnetfilter-conntrack3:amd64 (from .../libnetfilter-conntrack3_1.0.1-1_amd64.deb) ... Selecting previously unselected package libsystemd-login0:amd64. Unpacking libsystemd-login0:amd64 (from .../libsystemd-login0_44-11+deb7u4_amd64.deb) ... Selecting previously unselected package dbus. Unpacking dbus (from .../dbus_1.6.8-1+deb7u1_amd64.deb) ... Selecting previously unselected package dnsmasq-base. Unpacking dnsmasq-base (from .../dnsmasq-base_2.62-3+deb7u1_amd64.deb) ... Selecting previously unselected package dnsmasq. Unpacking dnsmasq (from .../dnsmasq_2.62-3+deb7u1_all.deb) ... Processing triggers for man-db ... Setting up libcap2:amd64 (1:2.22-1.2) ... Setting up libdbus-1-3:amd64 (1.6.8-1+deb7u1) ... Setting up libexpat1:amd64 (2.1.0-1+deb7u1) ... Setting up libnetfilter-conntrack3:amd64 (1.0.1-1) ... Setting up libsystemd-login0:amd64 (44-11+deb7u4) ... Setting up dbus (1.6.8-1+deb7u1) ... [ ok ] Starting system message bus: dbus. Setting up dnsmasq-base (2.62-3+deb7u1) ... Setting up dnsmasq (2.62-3+deb7u1) ... [....] Restarting DNS forwarder and DHCP server: dnsmasq dnsmasq: setting capabilities failed: Operation not permitted failed! invoke-rc.d: initscript dnsmasq, action "restart" failed.

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • @joelgm are you running it as root?

    Patrick | INIZ
  • @INIZ said:
    joelgm are you running it as root?

    Yes, indeed.

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • @joelgm said:

    It should work according to the docs then:
    Q: Dnsmasq fails to start up with a message about capabilities.
    Why did that happen and what can do to fix it?

    A: Change your kernel configuration: either deselect CONFIG_SECURITY
    or select CONFIG_SECURITY_CAPABILITIES. Alternatively, you can
    remove the need to set capabilities by running dnsmasq as root.

    Patrick | INIZ
  • INIZ said: It should work according to the docs then

    That's why I'm at a loss here. I cant fathom why it doesnt work.

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • @rmlhhd said:
    Works for me...

    RamNode -

    I just bought a Seattle Ramnode and discovered that the capabilities were not available on this one as well! :(

    It did work on a Raidlogic VPS though.

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • rmlhhdrmlhhd Member, Provider
    edited January 2014

    @joelgm said:

    Mine was in NL

    Thanked by 1Droidzone

    RIPE NCC Member | DevCapsule Ltd. | 1 vCPU, 512MB RAM, 500GB Bandwidth, 10GB SSD for £2/pm exVAT LAX, MCR, AMS

  • @rmlhhd said:
    Mine was in NL

    I'll request a transfer to NL.

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • rmlhhdrmlhhd Member, Provider

    Should work then

    RIPE NCC Member | DevCapsule Ltd. | 1 vCPU, 512MB RAM, 500GB Bandwidth, 10GB SSD for £2/pm exVAT LAX, MCR, AMS

  • joelgm said: I'll request a transfer to NL.

    Or maybe you can ask them to enable it? RamNode support is usually very helpful...

  • @agonyzt said:
    Or maybe you can ask them to enable it? RamNode support is usually very helpful...

    I've described my scenario and linked them to this thread. I'm hopeful of a positive response.

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • Same issue on GVH - did you get this solved? @Greenvaluehost - care to comment?

  • smansman Member
    edited June 2015

    Old thread I know. I just ran into this myself. Setting it to run as root gets around this. Don't know what implications that has.

    nano /etc/dnsmasq.conf

    listen-address=127.0.0.1 port=53 bind-interfaces user=root

    Thanked by 14n0nx
Sign In or Register to comment.