Setcap canceled after package upgrade in CentOS 7


(Federico Bruni) #1

CentOS comes with systemd version 219, which does not support the AmbientCapabilities=CAP_NET_BIND_SERVICE option. As a result, I must use setcap to allow binding to port 80.

The problem is that after an upgrade of the caddy package the option set by setcap is removed, as a new binary is installed. When systemd tries to restart Caddy it fails.
This is particularly annoying since I’m using a cron job to upgrade the system automatically, so my websites go offline and I don’t even know it.

I guess I’ll have to disable the automatic system upgrades or at least set up a systemd service which sends me an email when the service fails to restart.
But I wonder if there’s a better solution.
Upgrading systemd is not an option. I’ll have to wait for CentOS 8 release…

Thanks in advance for any hint


(Matthew Fay) #2

I’ve only got two thoughts:

  1. Call setcap from your upgrade cron, OR
  2. Install a stable TCP proxy, and run Caddy with -http-port 8080 -https-port 8443 or similar