Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue in debian package systemd startup script: Failed to apply ambient capabilities (before UID change): Operation not permitted #1605

Open
markboots opened this issue Feb 5, 2023 · 7 comments
Open

Issue in debian package systemd startup script: Failed to apply ambient capabilities (before UID change): Operation not permitted #1605

markboots opened this issue Feb 5, 2023 · 7 comments

Comments

@markboots
Copy link

We're using the Debian packages at https://dfx.at/rtpengine/

Using the default systemd startup script, rtpengine-daemon fails to start:

root@ip-...:/home/admin# systemctl status rtpengine-daemon.service
● rtpengine-daemon.service - NGCP RTP/media Proxy Daemon
   Loaded: loaded (/lib/systemd/system/rtpengine-daemon.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2023-02-05 03:57:16 UTC; 4min 56s ago
  Process: 906 ExecStartPre=/usr/sbin/rtpengine-iptables-setup start (code=exited, status=0/SUCCESS)
  Process: 925 ExecStart=/usr/bin/rtpengine -f -E --no-log-timestamps --pidfile /run/rtpengine/rtpengine-daemon.pid --config-file /etc/rtpengine/rtpengine.conf (code=exited, status=218/CAPABILITIES)
  Process: 927 ExecStopPost=/usr/sbin/rtpengine-iptables-setup stop (code=exited, status=0/SUCCESS)
 Main PID: 925 (code=exited, status=218/CAPABILITIES)

Feb 05 03:57:16 ip-172-31-255-254 systemd[1]: Starting NGCP RTP/media Proxy Daemon...
Feb 05 03:57:16 ip-172-31-255-254 rtpengine-iptables-setup[906]: modprobing...
Feb 05 03:57:16 ip-172-31-255-254 rtpengine-iptables-setup[906]: adding iptables rules
Feb 05 03:57:16 ip-172-31-255-254 systemd[925]: rtpengine-daemon.service: Failed to apply ambient capabilities (before UID change): Operation not permitted
Feb 05 03:57:16 ip-172-31-255-254 systemd[925]: rtpengine-daemon.service: Failed at step CAPABILITIES spawning /usr/bin/rtpengine: Operation not permitted
Feb 05 03:57:16 ip-172-31-255-254 systemd[1]: rtpengine-daemon.service: Main process exited, code=exited, status=218/CAPABILITIES
Feb 05 03:57:16 ip-172-31-255-254 systemd[1]: rtpengine-daemon.service: Failed with result 'exit-code'.
Feb 05 03:57:16 ip-172-31-255-254 systemd[1]: Failed to start NGCP RTP/media Proxy Daemon.

We resolved this by commenting out the following Ambient Capabilities in /lib/systemd/system/rtpengine-daemon.service:

# Service process does not receive ambient capabilities
# NOTE: we need caps for running as non-root user
#--removed--: AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE

Contrary to the NOTE, this change succeeds at launching successfully, running as the non-root rtpengine user.
@rfuchs
Copy link
Member

rfuchs commented Feb 5, 2023

What kind of kernel and environment was this under?

@markboots
Copy link
Author

This is on Debian Buster, kernel 4.19.0-23-cloud-amd64, using the Debian AWS AMI.

@rfuchs
Copy link
Member

rfuchs commented Feb 5, 2023

Could be the cloud/AWS kernel not allowing CAP_NET_ADMIN then

@markboots
Copy link
Author

Is there anything in rtpengine that will fail without having CAP_NET_ADMIN? If the daemon launches are we good to go, or could there be runtime failures later?

@markboots
Copy link
Author

(Note: It looks like this is only a Debian buster issue; the default systemd scripts worked fine on Debian bullseye, 5.10.0-20-cloud-amd64.)

@rfuchs
Copy link
Member

rfuchs commented Feb 6, 2023

CAP_NET_ADMIN is needed for managing the iptables rules if that feature is enabled (see iptables-chain option, which is unrelated to the kernel module). I don't think it's needed for anything else.

And we've been using this on both bullseye and buster with the stock kernels just fine, so this is probably something specific to that cloud kernel.

@hb9eue hb9eue mentioned this issue Feb 24, 2023
Open
@ddamw
Copy link

ddamw commented Mar 16, 2023

I had the same problem as @markboots on a plain Debian Buster installation and I can confirm that commenting out AmbientCapabilities in the systemd service file works.

However, I was not pleased by the solution and experimented some more and found that I could keep AmbientCapabilities enabled if I commented out CapabilityBoundingSet=(empty here) at line 59 of the systemd file (https://github.com/sipwise/rtpengine/blob/master/debian/ngcp-rtpengine-daemon.service) or at least setting CapabilityBoundingSet to anything but an empty set, such as the example on line 65 of the same file.

So for me this works:

#CapabilityBoundingSet=
AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE

as well as

CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_FOWNER CAP_NET_ADMIN CAP_SYS_NICE
AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE

but this doesn't:

CapabilityBoundingSet=
AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@markboots @rfuchs @ddamw