systemd: add CAP_NET_ADMIN capability for ipset

2025-02-23 09:25:41 +08:00 · 2017-08-28 23:14:52 +08:00 · 2017-08-28 23:14:52 +08:00 · 9d9fe7bfd8
commit 9d9fe7bfd8
parent 4729fc57f3
1 changed files with 4 additions and 2 deletions
--- a/systemd/glider@.service
+++ b/systemd/glider@.service
@ -11,8 +11,10 @@ Restart=always
 ExecStart=/usr/bin/glider -config /etc/glider/%i.conf

 # work with systemd v229 or later, so glider can listen on port below 1024 with none-root user
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+# CAP_NET_ADMIN: ipset
+# CAP_NET_BIND_SERVICE: bind ports under 1024
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=true

 [Install]