From: Thomas Weber (x_at_4t2.com)
Date: Wed 07 Aug 2002 - 20:57:41 BST
On Wed, Aug 07, 2002 at 07:35:58PM +0100, John Lyons wrote:
> > > >S_CAPS="CAP_NET_RAW CAP_NET_BIND_SERVICE"
> > I have these set and when I try to start my vservers, i see a
> > message that
> > says:
> > Starting named: capset failed: Operation not permitted
> Hopefully this will answer a few problems in one.
> 1) You need to have CAP_NET_RAW set in the conf file for the vserver in
> order to have any access to the internet. Without it you won't be able to
> ping anything from within a vserver. I would guess that you won't be able to
> see http/pop etc on the vservers without it hence the fact that someone
> couldn't contact the vservers.
without CAP_NET_RAW you won't be able to ping because ping needs
full access to the interface. but normal tcp/upd services will work.
Without CAP_NET_RAW, even root in the virtual server won't be able to sniff
your network or do other fancy stuff with your interface - very usefull imho.
i run many services (pop3s, imaps, http, https...) on a vserver without
CAP_NET_RAW. In the case of named it won't help either.
> 2) The above error could be because you've got bind running on the host
the above error could well be because he didn't read the vserver FAQ ;-)