doc: add comment to systemd's NetworkManager.service about ibft requiring CAP_SYS_ADMIN

We don't want to enable this upstream, but make the requirement more discoverable by documenting it and put a comment to NetworkManager.service. https://bugzilla.redhat.com/show_bug.cgi?id=1371201 (cherry picked from commit 9aee7b493e)
2026-01-10 16:20:15 +01:00 · 2016-09-02 13:35:00 +02:00 · 2016-09-02 13:35:00 +02:00 · c66cbe9375
commit c66cbe9375
parent 4f125532fe
2 changed files with 7 additions and 0 deletions
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -15,6 +15,10 @@ Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+
+# ibft settings plugin calls iscsiadm which needs CAP_SYS_ADMIN
+#CapabilityBoundingSet=CAP_SYS_ADMIN
+
 ProtectSystem=true
 ProtectHome=read-only

--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -1058,6 +1058,9 @@ enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
            You can also explicitly specify <literal>ibft</literal> to load the
            plugin without <literal>ifcfg-rh</literal> or to change the plugin order.
          </para>
+          <para>
+            Note that ibft plugin uses /sbin/iscsiadm and thus requires CAP_SYS_ADMIN capability.
+          </para>
        </listitem>
      </varlistentry>