Open eriksjolund opened 2 hours ago
I don't think we can remove any capabilities like that. Socket activation is still an opt-in feature that users have to use in their configs. I don't envision that changing either. If you don't want the capability set, you can set overrides for your systemd config: https://caddyserver.com/docs/running#overrides
Overriding the systemd config is fine with me. Should I close this issue?
Now that Caddy supports socket activation adjust the systemd service examples
init/caddy.service init/caddy-api.service
to make use of a socket unit.
I haven't verified this but I'm speculating that we could remove the line
https://github.com/caddyserver/dist/blob/34f51d87d16c3da70156edffdf7c52a6916f48e6/init/caddy.service#L32
CAP_NET_ADMIN
was added inThere is a systemd directive
ReceiveBuffer
that looks useful:https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html#ReceiveBuffer=
(I don't know if the systemd directive
ReceiveBuffer=
would provide enough functionality to justify the removal ofCAP_NET_ADMIN
)