Re: setcap на всего юзера
On Wed, Jun 03, 2015 at 10:39:07AM +0300, Bogdan wrote:
> Привет.
>
> Хочу дать возможность пользователю запускать приложение с биндингом на 80
> порт без использования conntrack (ибо само по себе узкое место нуждающееся
> в тюнинге). При этом запускаемый бинарный файл приложения будет меняться.
>
> Посоветуйте, что тут можно сделать.
Network namespaces (CLONE_NEWNET, started in Linux 2.6.24 and
largely completed by about Linux 2.6.29) provide isolation of the
system resources associated with networking. Thus, each network
namespace has its own network devices, IP addresses, IP routing tables,
/proc/net directory, port numbers, and so on.
Network namespaces make containers useful from a networking
perspective: each container can have its own (virtual) network device
and its own applications that bind to the per-namespace port number
space; suitable routing rules in the host system can direct network
packets to the network device associated with a specific container.
Thus, for example, it is possible to have multiple containerized web
servers on the same host system, with each server bound to port 80 in
its (per-container) network namespace.
Reply to: