by lunarg on September 24th 2012, at 12:24

When running dnsmasq inside a VPS on an OpenVZ server, you may get an error while trying to start up dnsmasq (this is in particular the case for Debian):

Starting DNS forwarder and DHCP server: dnsmasq
dnsmasq: setting capabilities failed: Operation not permitted

This is because dnsmasq does not run as root (which is a good thing). What happens is that dnsmasq gets started as root, then attempts to set privileged functions to the dnsmasq user before changing user from root to that user. When setting these capabilities fails, you get the above error.

The reason for failing is usually because either the kernel is missing the required features, or, in case of OpenVZ, the permissions are not passed on to the VPS. The latter can be resolved easily by adding these to the VPS config.


To resolve, simply add the necessary configuration parameters to the VPS config by running these:

vzctl set CTID --capability setuid:on --save
vzctl set CTID --capability net_admin:on --save
vzctl set CTID --capability net_raw:on --save

Replace CTID with the ID of the VPS you're editing.

Note that you will have to restart the VPS for the changes to take effect. When done right, dnsmasq will start properly.

Another but bad solution is to run dnsmasq as root. This prevents the need for the capabilities permission to be set, but is potentially a security risk. As there's a much better solution (setting the permissions in the VPS) available, don't do this.