These are chat archives for Exa-Networks/exabgp

13th
Feb 2018
Jake
@JakeDEvans
Feb 13 2018 17:01
anyone know why exabgp must start as root and can't start + run as a service account?
Thomas Mangin
@thomas-mangin
Feb 13 2018 17:01
To bind to port 179 you need root or the right capability
If you do not use port 179 - we do not really need root
Jake
@JakeDEvans
Feb 13 2018 17:01
ss -alpn doesn't show port 179 bound
acl = false
bind = ''
delay = 0
once = false
port = 179
I'm getting reactor | set the environmemnt value exabgp.daemon.user to change the unprivileged use when I try to start it
Thomas Mangin
@thomas-mangin
Feb 13 2018 17:04
If you do not want to accept incoming connection change the 179 to 1790 and it should then be fine
Jake
@JakeDEvans
Feb 13 2018 17:05
same error
Thomas Mangin
@thomas-mangin
Feb 13 2018 17:05
without having the output of the program …
Jake
@JakeDEvans
Feb 13 2018 17:05
Feb 13 12:05:00 l-uat101 exabgp[14320]: 12:05:00 | 14320 | reactor | could not drop privileges to 'exabgp' refusing to run as root Feb 13 12:05:00 l-uat101 exabgp[14320]: 12:05:00 | 14320 | reactor | set the environmemnt value exabgp.daemon.user to change the unprivileged user Feb 13 12:05:00 l-uat101 exabgp: 12:05:00 | 14320 | reactor | could not drop privileges to 'exabgp' refusing to run as root Feb 13 12:05:00 l-uat101 exabgp: 12:05:00 | 14320 | reactor | set the environmemnt value exabgp.daemon.user to change the unprivileged user
Thomas Mangin
@thomas-mangin
Feb 13 2018 17:05
you probably want the user to be “nobody"
Jake
@JakeDEvans
Feb 13 2018 17:06

```cat /usr/lib/systemd/system/exabgp.service
[Unit]
Description=The BGP swiss army knife of networking
After=network-online.target

[Service]
Type=simple
User=exabgp
Group=exabgp
ExecStart=/usr/bin/exabgp -e /etc/exabgp/exabgp.env /etc/exabgp/exabgp.conf
Restart=on-failure
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=exabgp

EnvironmentFile=-/etc/sysconfig/exabgp

[Install]
WantedBy=multi-user.target```

had to set service group I guess.

TIL

Jake
@JakeDEvans
Feb 13 2018 17:13
thanks @thomas-mangin got it working, I do not want nobody because nobody can't sudo ip, so I created a service account and sudoers polciy.
Thomas Mangin
@thomas-mangin
Feb 13 2018 17:15
:-)
Jake
@JakeDEvans
Feb 13 2018 17:17
making user and group the exabgp service account, and changing drop = false was all I needed, changing bgp port had no effect since I'm not binding that port.
Thomas Mangin
@thomas-mangin
Feb 13 2018 17:19
Thanks - I had forgotten
Mark Felder
@feld
Feb 13 2018 18:33
@thomas-mangin definitely using exabgp for iBGP here
we have it in a lot of places, but noticed in this specific environment it's not handling local-preference properly. confused about why that is.
Mark Felder
@feld
Feb 13 2018 18:52
nevermind i have this figured out now. User error. :)
thanks for the great software, all
Thomas Mangin
@thomas-mangin
Feb 13 2018 18:52
:-) sorry did not see the messae before - I was commuting