HA Capability Configuration Description
When a HwHiAiUser user with low permissions runs HA, some resources of high permissions need to be accessed. Therefore, the HA capabilities listed in Table 10-2 need to be configured. (The HA capabilities are automatically configured during startup, so they do not need to be configured manually.)
HA Capability |
Description |
Reason for Use |
---|---|---|
cap_net_admin |
Allows performing network management tasks. |
HA requires network communication between two devices. |
cap_net_raw |
Allows using raw sockets. |
HA requires the creation of a socket for two-node cluster communication. |
cap_block_suspend |
Uses the function to block the system suspension. |
In some communication scenarios, HA needs to block system suspension to prevent the system from not responding for a long time. |
cap_dac_override |
Ignores discretionary access control (DAC) restrictions on files. |
HA is run by users with low permissions, but files created by users with high permissions need to be accessed during running. |
cap_dac_read_search |
Ignores DAC restrictions on file reading and directory search. |
The HA file synchronization function requires to search for files in a specified directory, but the HwHiAiUser user may not have the permission to access the specified directory, causing file synchronization failure. |
cap_sys_ptrace |
Allows tracing any process. |
When container-related functions are running, HA needs to communicate with the container by using the socket. |
cap_sys_resource |
Ignores resource restrictions. |
When container-related functions are running, HA needs to communicate with the container by using the socket. |
cap_chown |
Changes the file ownership permission. |
The HA file synchronization function requires to change the owner of a file to the same as that of the active node after the file is synchronized to the standby node. |