TCP backend inside the namespace as non-root

shefys · May 23, 2017, 6:21pm

Hi,

Is there any way to run haproxy as non-root with a backend configured inside the namespace?
I tried to setcap cap_sys_admin+ep /usr/sbin/haproxy but it didn’t help.

If I start haproxy with user ‘haproxy’ then it is not able to open connections to the backend servers located within namespace:
setns(5, CLONE_NEWNET) = -1 EPERM (Operation not permitted)
gettimeofday({1495561253, 588872}, NULL) = 0

If I run haproxy as root - everything works.

My config:

frontend netns1_fend
	log global
    mode tcp
    option tcplog
    bind 1.2.3.4:443 namespace netns1
    bind 1.2.4.4:443 namespace netns1
	default_backend netns1_bend

backend netns1_bend
	mode tcp
	option tcplog
	option tcp-check
	server h1 172.16.1.219:443 check namespace netns1
    server h2 172.16.1.90:443 check namespace netns1

Topic		Replies	Views
Backend Namespace Cannot get a server socket Help!	0	1612	March 24, 2017
Unix socket as backend Help!	6	1826	February 17, 2022
BInding to ports like 80 and 443 as non-root user Help!	2	1746	October 1, 2020
Config : frontend 'GLOBAL' has no 'bind' directive Help!	2	6928	February 8, 2018
Use_backend app-main if { hdr_dom(host) -i } -> Not recognize domain Help!	5	3881	November 7, 2019

TCP backend inside the namespace as non-root

Related Topics