Installation went flawlessly and test runs were also successful launching the caddy binary from the command line. This became a bit more complicated when I tried to run caddy as a systemd service using the caddy.service file available on github.
The service would no launch and the logs showed:
Jan 02 15:13:17 raspberrypi systemd[1]: Started Caddy HTTP/2 web server.
Jan 02 15:13:17 raspberrypi caddy[1378]: Activating privacy features… done.
Jan 02 15:13:17 raspberrypi caddy[1378]: 2018/01/02 15:13:17 listen tcp :80: bind: permission denied
Jan 02 15:13:17 raspberrypi systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Jan 02 15:13:17 raspberrypi systemd[1]: caddy.service: Unit entered failed state.
Jan 02 15:13:17 raspberrypi systemd[1]: caddy.service: Failed with result ‘exit-code’.
setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy was done as per the caddy systemd howto
After a bit of fiddling into the caddy.service file I found that the culprit was this line:
; Use a minimal /dev
PrivateDevices=true
Running fine without it. Any idea why? Does that line have anything to do with the bind-to-port problem?
And, BTW, thanks to the devs for Caddy. I am a fan of golang and love using it as a web server.
Note that PrivateDevices=yes should not be used for:
Services that actually require physical device access
Services which may be used to execute arbitrary user or administrator supplied programs (such as cron, …). We shouldn’t limit what people can do with these services.
This option creates a new file system namespace where mount/umount propagation is turned off back into the host. This means that mounts made by the service will stay private to the service. Thus this option should not be used by services which shall be able to establish mounts in the host.
I really want to keep the Caddy repo as free from system admin-related issues as much as possible, and keep it focused on Caddy itself. But we can make changes to the dist/init files for the better in the meantime; just submit a pull request.
Yes, it works without any error message with that systemd directive . Thanks. But it works also without the PrivateDevices=true directive. I don’t know which solution is better:
Up to you if you think hiding disks and other devices from Caddy is a reasonable security measure. Personally I don’t think it’s necessary, given that Caddy is open source and doesn’t interact directly with your devices anyway.