TCP backend inside the namespace as non-root


#1

Hi,

Is there any way to run haproxy as non-root with a backend configured inside the namespace?
I tried to setcap cap_sys_admin+ep /usr/sbin/haproxy but it didn’t help.

If I start haproxy with user ‘haproxy’ then it is not able to open connections to the backend servers located within namespace:
setns(5, CLONE_NEWNET) = -1 EPERM (Operation not permitted)
gettimeofday({1495561253, 588872}, NULL) = 0

If I run haproxy as root - everything works.

My config:

frontend netns1_fend
	log global
    mode tcp
    option tcplog
    bind 1.2.3.4:443 namespace netns1
    bind 1.2.4.4:443 namespace netns1
	default_backend netns1_bend

backend netns1_bend
	mode tcp
	option tcplog
	option tcp-check
	server h1 172.16.1.219:443 check namespace netns1
    server h2 172.16.1.90:443 check namespace netns1