search

acassen / keepalived

Keepalived
https://www.keepalived.org
GNU General Public License v2.0
4k stars 737 forks source link

vrrp : segfault running keepalived 2.0.19 as non-root user #2009

Closed SLoeuillet closed 3 years ago

SLoeuillet commented 3 years ago

Describe the bug On ubuntu 20.04, using keepalived 2.0.19 from distribution but with custom .services file to run as a dynamic user, with CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW

keepalived_vrrp segfaults in a loop, until end of time

To Reproduce Start the service, wait 4 seconds max. Crashes even if second node keepalived is not started

Expected behavior Having keepalived working as non-root user or at least telling me what it wants instead of crashing.

Keepalived version

Keepalived v2.0.19 (10/19,2019)

Copyright(C) 2001-2019 Alexandre Cassen, <acassen@gmail.com>

Built with kernel headers for Linux 5.4.18
Running on Linux 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021

configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-kernel-dir=debian/ --enable-snmp --enable-sha1 --enable-snmp-rfcv2 --enable-snmp-rfcv3 --enable-dbus --enable-json --enable-bfd --enable-regex build_alias=x86_64-linux-gnu CFLAGS=-g -O2 -fdebug-prefix-map=/build/keepalived-sJIe_4/keepalived-2.0.19=. -fstack-protector-strong -Wformat -Werror=format-security LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2

Config options:  NFTABLES LVS REGEX VRRP VRRP_AUTH JSON BFD OLD_CHKSUM_COMPAT FIB_ROUTING SNMP_V3_FOR_V2 SNMP_VRRP SNMP_CHECKER SNMP_RFCV2 SNMP_RFCV3 DBUS

System options:  PIPE2 SIGNALFD INOTIFY_INIT1 VSYSLOG EPOLL_CREATE1 IPV4_DEVCONF IPV6_ADVANCED_API LIBNL3 RTA_ENCAP RTA_EXPIRES RTA_NEWDST RTA_PREF FRA_SUPPRESS_PREFIXLEN FRA_SUPPRESS_IFGROUP FRA_TUN_ID RTAX_CC_ALGO RTAX_QUICKACK RTEXT_FILTER_SKIP_STATS FRA_L3MDEV FRA_UID_RANGE RTAX_FASTOPEN_NO_COOKIE RTA_VIA FRA_OIFNAME FRA_PROTOCOL FRA_IP_PROTO FRA_SPORT_RANGE FRA_DPORT_RANGE RTA_TTL_PROPAGATE IFA_FLAGS IP_MULTICAST_ALL LWTUNNEL_ENCAP_MPLS LWTUNNEL_ENCAP_ILA NET_LINUX_IF_H_COLLISION LIBIPVS_NETLINK IPVS_DEST_ATTR_ADDR_FAMILY IPVS_SYNCD_ATTRIBUTES IPVS_64BIT_STATS IPVS_TUN_TYPE IPVS_TUN_CSUM IPVS_TUN_GRE VRRP_VMAC VRRP_IPVLAN IFLA_LINK_NETNSID CN_PROC SOCK_NONBLOCK SOCK_CLOEXEC O_PATH GLOB_BRACE INET6_ADDR_GEN_MODE VRF SO_MARK SCHED_RT SCHED_RESET_ON_FORK

Distro (please complete the following information):

Details of any containerisation or hosted service (e.g. AWS) Running on an OpenStack VM on OVH

Configuration file:

global_defs {
  router_id gobgp00.bgp.ovh.int.kaiko.com
  no_email_faults
  no_checker_emails
  vrrp_no_swap
  bfd_no_swap
}

bfd_instance BFD1 {
    neighbor_ip 10.170.1.187
    source_ip 10.170.1.186
    weight 1
}

vrrp_instance VI_1 {
  advert_int 1

  authentication {
    auth_type PASS
    auth_pass *****************************************************REDACTED******************************************
  }

  interface ens3
  priority 1
  state BACKUP

  unicast_peer {
    10.170.1.187
  }

  unicast_src_ip 10.170.1.186

  virtual_ipaddress {
    10.170.3.44/32 dev ens3 label ens3:0
  }

  virtual_router_id 121

  track_bfd {
    BFD1
  }
}

Notify and track scripts

If any notify or track scripts are in use, please provide copies of them

System Log entries

Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived_vrrp[3233977]: (VI_1) Entering MASTER STATE
Oct 12 07:58:37 gobgpd00-bgp-ovh kernel: keepalived[3233977]: segfault at 0 ip 0000628e23b1ff4b sp 00007ffed64e8aa0 error 6 in keepalived[628e23ae3000+70000]
Oct 12 07:58:37 gobgpd00-bgp-ovh kernel: Code: 00 4c 8d 77 62 0f 84 f4 01 00 00 48 83 fa 06 b8 06 00 00 00 48 0f 47 d0 89 d6 85 d2 74 14 31 c0 89 c2 83 c0 01 41 0f b6 0c 16 <41> 88 0c 14 39 f0 72 ee 48 83 bd 88 00 00 00 06 b8 06 00 00 00 49
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]: Keepalived_vrrp exited due to segmentation fault (SIGSEGV).
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   Please report a bug at https://github.com/acassen/keepalived/issues
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   and include this log from when keepalived started, a description
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   of what happened before the crash, your configuration file and the details below.
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   Also provide the output of keepalived -v, what Linux distro and version
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   you are running on, and whether keepalived is being run in a container or VM.
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   A failure to provide all this information may mean the crash cannot be investigated.
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   If you are able to provide a stack backtrace with gdb that would really help.
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   Source version 2.0.19
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   Built with kernel headers for Linux 5.4.18
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   Running on Linux 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   Command line: '/usr/sbin/keepalived' '--dont-fork' '--pid=/var/run/keepalived/keepalived.pid'
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                 '--vrrp_pid=/var/run/keepalived/vrrp.pid'
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                 '--checkers_pid=/var/run/keepalived/keepalived_checkers.pid'
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                 '--bfd_pid=/var/run/keepalived/keepalived_bfd.pid'
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      --with-kernel-dir=debian/ --enable-snmp --enable-sha1 --enable-snmp-rfcv2ulimit -S -c unlimited

Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      --enable-snmp-rfcv3 --enable-dbus --enable-json --enable-bfd --enable-regex
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      build_alias=x86_64-linux-gnu CFLAGS=-g -O2
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      -fdebug-prefix-map=/build/keepalived-sJIe_4/keepalived-2.0.19=.
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      -fstack-protector-strong -Wformat -Werror=format-security
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro CPPFLAGS=-Wdate-time
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                      -D_FORTIFY_SOURCE=2
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   Config options: NFTABLES LVS REGEX VRRP VRRP_AUTH JSON BFD OLD_CHKSUM_COMPAT FIB_ROUTING
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   SNMP_V3_FOR_V2 SNMP_VRRP SNMP_CHECKER SNMP_RFCV2 SNMP_RFCV3 DBUS
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:   System options: PIPE2 SIGNALFD INOTIFY_INIT1 VSYSLOG EPOLL_CREATE1 IPV4_DEVCONF IPV6_ADVANCED_API
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   LIBNL3 RTA_ENCAP RTA_EXPIRES RTA_NEWDST RTA_PREF FRA_SUPPRESS_PREFIXLEN
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   FRA_SUPPRESS_IFGROUP FRA_TUN_ID RTAX_CC_ALGO RTAX_QUICKACK RTEXT_FILTER_SKIP_STATS
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   FRA_L3MDEV FRA_UID_RANGE RTAX_FASTOPEN_NO_COOKIE RTA_VIA FRA_OIFNAME FRA_PROTOCOL
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   FRA_IP_PROTO FRA_SPORT_RANGE FRA_DPORT_RANGE RTA_TTL_PROPAGATE IFA_FLAGS
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   IP_MULTICAST_ALL LWTUNNEL_ENCAP_MPLS LWTUNNEL_ENCAP_ILA NET_LINUX_IF_H_COLLISION
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   LIBIPVS_NETLINK IPVS_DEST_ATTR_ADDR_FAMILY IPVS_SYNCD_ATTRIBUTES IPVS_64BIT_STATS
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   IPVS_TUN_TYPE IPVS_TUN_CSUM IPVS_TUN_GRE VRRP_VMAC VRRP_IPVLAN IFLA_LINK_NETNSID
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   CN_PROC SOCK_NONBLOCK SOCK_CLOEXEC O_PATH GLOB_BRACE INET6_ADDR_GEN_MODE VRF SO_MARK
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]:                   SCHED_RT SCHED_RESET_ON_FORK
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]: VRRP child process(3233977) died: Respawning
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived[2903616]: Starting VRRP child process, pid=3234012
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived_vrrp[3234012]: Registering Kernel netlink reflector
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived_vrrp[3234012]: Registering Kernel netlink command channel
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived_vrrp[3234012]: Opening file '/etc/keepalived/keepalived.conf'.
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived_vrrp[3234012]: Error 97 while registering gratuitous ARP shared channel
Oct 12 07:58:37 gobgpd00-bgp-ovh Keepalived_vrrp[3234012]: (VI_1) Entering BACKUP STATE (init)

Oct 12 07:58:41 gobgpd00-bgp-ovh Keepalived_vrrp[3234012]: (VI_1) Entering MASTER STATE
Oct 12 07:58:41 gobgpd00-bgp-ovh kernel: keepalived[3234012]: segfault at 0 ip 0000628e23b1ff4b sp 00007ffed64e8aa0 error 6 in keepalived[628e23ae3000+70000]
Oct 12 07:58:41 gobgpd00-bgp-ovh kernel: Code: 00 4c 8d 77 62 0f 84 f4 01 00 00 48 83 fa 06 b8 06 00 00 00 48 0f 47 d0 89 d6 85 d2 74 14 31 c0 89 c2 83 c0 01 41 0f b6 0c 16 <41> 88 0c 14 39 f0 72 ee 48 83 bd 88 00 00 00 06 b8 06 00 00 00 49
Oct 12 07:58:41 gobgpd00-bgp-ovh Keepalived[2903616]: Keepalived_vrrp exited due to segmentation fault (SIGSEGV).

Did keepalived coredump?

If so, can you please provide a stacktrace from the coredump, using gdb.

Additional context

Startup script

[Unit]
After=network-online.target
Requires=network-online.target
StartLimitBurst=3
StartLimitIntervalSec=10

[Service]
AmbientCapabilities=CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_RAW
CacheDirectory=%N
CacheDirectoryMode=0750
CapabilityBoundingSet=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_RAW
ConfigurationDirectory=%N
ConfigurationDirectoryMode=0750
CPUSchedulingPolicy=rr
DeviceAllow=/dev/null
DevicePolicy=strict
DynamicUser=yes
EnvironmentFile=/etc/default/%N
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/sbin/keepalived --dont-fork $DAEMON_ARGS --pid=/var/run/keepalived/keepalived.pid --vrrp_pid=/var/run/keepalived/vrrp.pid --checkers_pid=/var/run/keepalived/keepalived_checkers.pid --bfd_pid=/var/run/keepalived/keepalived_bfd.pid
IOSchedulingClass=realtime
KillMode=control-group
KillSignal=SIGINT
LimitCORE=infinity
LimitMEMLOCK=infinity
LimitNOFILE=500000
LockPersonality=yes
LogsDirectory=%N
LogsDirectoryMode=0750
NoNewPrivileges=yes
OOMScoreAdjust=-500
PermissionsStartOnly=false
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RemoveIPC=yes
Restart=always
RestartSec=5
RestrictAddressFamilies=AF_INET AF_NETLINK AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RuntimeDirectory=%N
RuntimeDirectoryMode=0750
SystemCallArchitectures=native
UMask=0007
User=_%N
Group=%N
StateDirectory=%N
StateDirectoryMode=0750
TimeoutStopSec=30

[Install]
WantedBy=multi-user.target
SLoeuillet commented 3 years ago

Forget it : missing AF_PACKET in RestrictAddressFamilies

Could be cool to provide that kind of config file as other people could be interrested in running keepalived as non root/dyn user

pqarmitage commented 3 years ago

I would be happy to include the above config file, but we would need to test that all of keepalived's functionality can work as a non-root user, and keepalived does rather a lot of things that normally require root privileges. I note for example that you do not have any IPVS configuration; would that require any other capabilities?

Does RestrictAddressFamilies also require AF_INET6?

I'll test your setup with a fairly complete configuration and see what I find, but I may need some help with changing the configuration if some things don't work, since I am no great expert in systemd configuration.

SLoeuillet commented 3 years ago

Well, instead of giving a full .services file that won't cover everything or that would be so large that it would mean root in disguise, perhaps a way to document that VRRP needs AF_RAW & AF_PACKET + CAP_NET_RAW and same for each sub-daemon/functionnality ?

SLoeuillet commented 3 years ago

and of course, if IPv6, AF_INET6, ...

SLoeuillet commented 3 years ago

Anyway my main problem here is that it segfaults with no way to catch the root cause

pqarmitage commented 3 years ago

I have run your configuration on Ubuntu 21.04, with the systemd service file above, adding AF_PACKET as you identified, and also adding AF_INET6 because the BFD process uses AF_INET6 sockets regardless of whether it is actually using IPv4 or IPv6.

I am not not getting any error and keepalived is successfully running. Both VRRP and BFD are successfully communicating with another physical machine.

SLoeuillet commented 3 years ago

Oh, I suppose that's why I had the error 97 with BFD, because of missing AF_INET6 I did ignore it but good to know that BFD wants to bind to :: I suppose we can't disable Ipv6 at kernel boot so ? (ipv6.disable=1 in /etc/default/grub GRUB_CMDLINE_LINUX)

SLoeuillet commented 3 years ago

Even with AF_INET6 I still have those in the log :+1: 

Oct 12 13:53:59 gobgpd00-bgp-ovh Keepalived[3383751]: Starting BFD child process, pid=3383758
Oct 12 13:53:59 gobgpd00-bgp-ovh Keepalived_bfd[3383758]: Opening file '/etc/keepalived/keepalived.conf'.
Oct 12 13:53:59 gobgpd00-bgp-ovh Keepalived_bfd[3383758]: socket() error 97 (Address family not supported by protocol)
Oct 12 13:53:59 gobgpd00-bgp-ovh Keepalived_bfd[3383758]: scheduler: Error performing control on EPOLL instance (Bad file descriptor)
Oct 12 13:53:59 gobgpd00-bgp-ovh Keepalived_bfd[3383758]: scheduler: Cant register read event for fd [-1](Bad file descriptor)
SLoeuillet commented 3 years ago

Confirmed. Needed to re-enable IPv6 in kernel boot params to have BFD working well

Oct 12 13:58:21 gobgpd01-bgp-ovh Keepalived[905]: Starting BFD child process, pid=914
Oct 12 13:58:21 gobgpd01-bgp-ovh Keepalived_bfd[914]: Opening file '/etc/keepalived/keepalived.conf'.
Oct 12 13:58:25 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Detection time is 5000 ms (was 0 ms)
Oct 12 13:58:26 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Detection time is 50 ms (was 5000 ms)
Oct 12 13:58:26 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Entering Up state
Oct 12 13:58:26 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Expired after 50 ms (24 usec overdue)
Oct 12 13:58:26 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Entering Down state (Local diagnostic - Control Detection Time Expired, Remote diagnostic - No Diagnostic)
Oct 12 13:58:27 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Detection time is 5000 ms (was 50 ms)
Oct 12 13:58:27 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Entering Up state
Oct 12 13:58:27 gobgpd01-bgp-ovh Keepalived_bfd[914]: BFD_Instance(BFD1) Detection time is 50 ms (was 5000 ms)
pqarmitage commented 3 years ago

I have discovered that editing /etc/apport/crashdb.conf to comment out the line 'problem_types': ['Bug', 'Package'], means that crash dump information is saved to /var/crash. Using that I have identified and resolved the segfault in the VRRP process that I expect is what you have been experiencing.

The BFD requirement for IPv6 was resolved in commits c1a41c3, 5a1f1e8 and d38103a a month or two ago, and so with the latest code the BFD process can now run without IPv6 if it is only using IPv4.

I have done some testing of all the features of keepalived that I can think of that might need various privileges/capabilities

To allow keepalived to load modules ip_vs (needed for IPVS configuration) and xt_set (needed for using iptables/ipset) Add: Ambient_Capabilities=CAP_SYS_MODULE CapabilityBoundingSet=CAP_SYS_MODULE ProtectKernelModules=no alternatively add a file in /usr/lib/modules-load.d with ip_vs and xt_set

To allow keepalived to adjust its realtime scheduling priority if it is not being scheduled fast enough RestrictRealtime=no

To allow keepalived to run with standard scheduling Add AmbientCapabilities=CAP_SYS_NICE CapabilityBoundingSet=CAP_SYS_NICE Remove CPUSchedulingPolicy=rr

The normal signal for stopping keepalived is SIGTERM KillSignal=SIGTERM

Allow keepalived to set sysctl values (needed for using VMACs) ProtectKernelTunables=no

Allow keepalived to set the UID/GID for scripts it runs AmbientCapabilities=CAP_KILL AmbientCapabilities=CAP_SETUID AmbientCapabilities=CAP_SETGID CapabilityBoundingSet=CAP_KILL CapabilityBoundingSet=CAP_SETUID CapabilityBoundingSet=CAP_SETGID

Allow keepalived to change owner/group of notify FIFO AmbientCapabilities=CAP_CHOWN CapabilityBoundingSet=CAP_CHOWN

Allow keepalived to call setrlimit for number of open files and coredump size AmbientCapabilities=CAP_SYS_RESOURCE CapabilityBoundingSet=CAP_SYS_RESOURCE

I haven't been able to get SNMP working with keepalived when running as a non-root user, so any help with that would be appreciated.

I think what we should do is add a keepalived-non-root.service file with appropriate comments relating to what each capability is needed for, so that people can customise the service file according to the needs of their particular configuration. I would like the default to include everything, to avoid issue reports being raised because people haven't enabled certain capabilities. @SLoeuillet what do you think?

It might be that we can add functionality to drop capabilities with keepalived for capabilities that are not required, based on the actual keepalived configuration in use.

There are some other issues relating to keepalived executing scripts (vrrp notify, notify_fifo_scripts, vrrp track scripts and CHECK_MISC checker scripts). keepalived is currently written assuming that it is running as root, and the code for handling scripts, especially if the user/group for running the scripts are specified, will not work. I am currently working on a patch for this.

SLoeuillet commented 3 years ago

Good to know it has been fixed upstream Didn't try master, only 2.0.19 from ubuntu focal distro Feel free to close or keep it open regarding Capabilities & co needed for each component (doc)

SLoeuillet commented 3 years ago

Yeah, providing a full non-root .services file could be good People would be able to remove unneeded CAPs at will instead of adding them as guess-work from root one

pqarmitage commented 3 years ago

Commit 557f4e3 adds keepalived-non-root.service.in which produces keepalivee-non-root.service when make is run. Commit 461922b resolves a segfault that you were probably experiencing.

@SLoeuillet Many thanks for all your work doing the difficult part of this.