Remi Gacogne
Remi Gacogne
Interesting, thanks! Several entries on that list seem nice but have no release, and some are not even self-contained. It would be fun to try using zig-hpke from C++, as...
Setting: ``` CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_ADMIN AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SYS_ADMIN LimitMEMLOCK=infinity ``` should be enough to make it work (I just tested on a 5.18.16). `CAP_BPF` is a subset of `CAP_SYS_ADMIN` so setting `CAP_SYS_ADMIN`...
I'll have to set up a SLES 15-SP4 box to test, then. In the meantime, would you be able to confirm that issuing `sysctl kernel.unprivileged_bpf_disabled=0` allows dnsdist to start? It...
I have not been able to reproduce yet, I'll do more tests tomorrow: ``` # cat /etc/os-release NAME="SLES" VERSION="15-SP4" VERSION_ID="15.4" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp4"...
It looks like I don't even need `LimitMEMLOCK=infinity`, adding `CAP_BPF` to both `CapabilityBoundingSet` and `AmbientCapabilities` with `systemctl edit --full dnsdist` then issuing a `systemctl restart dnsdist` works for me.
Oh, I did not suspect AppArmor, well done!
Is that AppArmor policy an internal one, or can we submit a patch to it?
I'm not sure I want to grant more privileges by default, since most people are not using eBPF, but I might be wrong. In any case I going to add...
Thanks a lot for the feedback, Winfried, much appreciated!
OK, then I did not understand it correctly! I think you should discard my comments until we are sure I'm looking at the correct version of recursor_cache.cc, otherwise you might...